I'm working on a encryption functionality based on classes inherited from SymmetricAlgorithm such as TripleDes, DES, etc.
Basically there're two options to generate consistent key and IV for my algorithm class, PasswordDeriveBytes
and Rfc2898DeriveBytes
, both inherit from DeriveBytes abstract class.
The PasswordDeriveBytes.GetBytes()
method is marked as obsolete in .NET framework while Rfc2898DeriveBytes.GetBytes() is recommended, as it matches the PBKDF2 standard. However, based on my testing, calling the same GetBytes()
method in Rfc2898DeriveBytes class is almost 15 times slower than that in PasswordDeriveBytes
class, which leads to unexpected CPU usage (always higher than 50%).
Here're some testing data:
- Iterations: 100
- Algorithm type: DES
- Original Text: "I'm a test key, encrypt me please"
- Time:
- PasswordDeriveBytes: 99ms
- Rfc2898DeriveBytes: 1,373ms
Based on the testing, the bad performance of Rfc2898DeriveBytes
is not acceptable in production environment.
Has anyone noticed this problem before? Any solution I can still use a standard one without hitting the performance? Any risk to use an obsolete method (could be removed in future version)?
Thanks guys!
Edit:
Probably I found where the problem is... The default iteration count number for PasswordDeriveBytes
is 100, while for Rfc2898DeriveBytes
is 1000. After I changed them to the same number as 1000, executing Rfc2898DeriveBytes
is only double time.
This blogpost talks about the differences between the two: http://blogs.msdn.com/shawnfa/archive/2004/04/14/generating-a-key-from-a-password.aspx