Releases: BcryptNet/bcrypt.net
Releases · BcryptNet/bcrypt.net
2.1.4
3c1a256
This commit was signed with the committer’s verified signature.
ChrisMcKee
Chris McKee
- Enhanced entropy defaults to
Legacy384which is basically the way it operated prior to this version anyway this will be maintained for v2. - Default rounds raised to 11 (in keeping with other frameworks/languages)
- Add target for 4.7.2
- Reduce regex timeout to 30ms from 300
Minor release - Framework updates & development changes
- Netstandard v2
- Correct typos
- Documentation updates (mostly typo related)
- Csproj changes.
Deployment made for typos/netstandard.
v2.1.1 - Minor metadata-patch
Fixes & Features Release
- Adds enhanced mode; enhanced hashing allows you to opt-in to ensuring optimal entropy on your users passwords by first making use of the fast SHA384 algorithm before BCrypt hashes the password.
- Added Hash interrogation to allow a hash to be passed in and its component parts be returned.
- Added timeouts to regex and set compiler flags for msbuild so < .net 4.5 (where timeouts were added to regex) we use old regex method.
- Alter safe equals from ceq/and to xor/and/ceq moving the check outside of the loop to mitigate against branch prediction causing a timing leak
- Add new method
PasswordNeedsReshash(string hash, int newMinimumWorkLoad)as a helper method for developers to use when logging a user in to increase legacy workloads - Add
ValidateAndReplacePasswordmethod to allow inline password validation and replacement. ThrowsBcryptAuthenticationExceptionin the event of authentication failure. - Cleaned up xml-doc for intellisense
- Increased compatibility by allowing BCrypt revisions from other frameworks/languages to be validated and generated whilst maintaining compatibility.
- VS2017 RTW changes
Patch and Tidy
- Corrects usage of Secure random number generator
- Change UTF8 handling to safer default (throwOnInvalidBytes: true)
- .NET Encoding.UTF8 encoding instance does not raise exceptions used to encode bytes which cannot represent a valid encoding & will return the same 'unknown' character instead. This can cause entropy loss when converting from bytes to strings.
- Change secure equals to match .net identity implementation
- Inline vars in encipher method
initial fresh release
Fresh release packaged for the majority of .net & containing safe-equals to reduce the risks from timing attacks https://en.wikipedia.org/wiki/Timing_attack / https://cryptocoding.net/index.php/Coding_rules#Compare_secret_strings_in_constant_time
Technically the implementation details of BCrypt theoretically mitigate against a timing attacks. But the Bcrypt.net official validation function was vulerable to timing attacks as it returned as soon as a non-matching byte was found in the hash comparison..