bcrypt.net

What's Changed

• Bump Microsoft.NET.Test.Sdk from 16.7.1 to 16.8.0 by @dependabot-preview in https://github.com/BcryptNet/bcrypt.net/pull/77
• Bump Microsoft.NET.Test.Sdk from 16.8.0 to 16.8.3 by @dependabot-preview in https://github.com/BcryptNet/bcrypt.net/pull/80
• Update readme to reflect default hash factor by @KristofferK in https://github.com/BcryptNet/bcrypt.net/pull/86
• Bump Microsoft.NET.Test.Sdk from 16.8.3 to 16.9.1 by @dependabot-preview in https://github.com/BcryptNet/bcrypt.net/pull/87
• Bump Microsoft.NET.Test.Sdk from 16.9.1 to 16.9.4 by @dependabot-preview in https://github.com/BcryptNet/bcrypt.net/pull/95
• Upgrade to GitHub-native Dependabot by @dependabot-preview in https://github.com/BcryptNet/bcrypt.net/pull/96
• Bump BenchmarkDotNet from 0.12.1 to 0.13.0 by @dependabot in https://github.com/BcryptNet/bcrypt.net/pull/97
• Bump Microsoft.NET.Test.Sdk from 16.9.4 to 16.10.0 by @dependabot in https://github.com/BcryptNet/bcrypt.net/pull/98
• Bump Microsoft.NET.Test.Sdk from 16.10.0 to 16.11.0 by @dependabot in https://github.com/BcryptNet/bcrypt.net/pull/101
• Bump BenchmarkDotNet from 0.13.0 to 0.13.1 by @dependabot in https://github.com/BcryptNet/bcrypt.net/pull/100
• Bump Microsoft.NET.Test.Sdk from 16.11.0 to 17.0.0 by @dependabot in https://github.com/BcryptNet/bcrypt.net/pull/102
• Bump Microsoft.NET.Test.Sdk from 17.0.0 to 17.1.0 by @dependabot in https://github.com/BcryptNet/bcrypt.net/pull/105

New Contributors

• @KristofferK made their first contribution in https://github.com/BcryptNet/bcrypt.net/pull/86
• @dependabot made their first contribution in https://github.com/BcryptNet/bcrypt.net/pull/97

Full Changelog: https://github.com/BcryptNet/bcrypt.net/compare/4.0.2...4.0.3

• Adds .net 5 target
• Sets using/dispose pattern on shaxxx usage in enhanced entropy version

v4.0.0 (breaking changes) - A bug in Enhanced Hashing was discovered that causes the hashes created to be inoperable between different languages.
V4 provides the fix for this as well as adding test vectors from PHP and Python to ensure the issue remains fixed in the future. V4 also removes the legacy 384 option that came before Base64 was added.

v3.5.0 - A bug in Enhanced Hashing was discovered that causes the hashes created to be inoperable between different languages.
As part of the fix 3.5 release contains the ability to Verify and HashPassword were given an additional v4CompatibleEnhancedEntropy parameter.
This allows the user to verify their Enhanced hash as normal; then re-hash + store using V4. This functionality is purely to allow migration and is removed in V4.

Performance (heap reduction) and removal of regex

• Heap-usage reduction in netstandard 2+ by switching key calls to span and altering array use in encoding.
• Removes regex dependency and changes hash parser to custom parser
• Addition of benchmarking projects
• Adds dependency on System.Memory for netstandard2.0|net452|net462|net472

Big thanks to Jos Vandertil (@jvandertil) for the help.

Resolves https://github.com/BcryptNet/bcrypt.net/issues/25
Added serializable attribute to exception types

If you updated to 3.1.1 (now delisted), any credentials created using 3.1.1 will need resetting.

Test run
https://ci.appveyor.com/project/ChrisMcKee/bcrypt-net/build/tests

BROKEN DONT USE

• Adds HashType to EnhancedVerify and Verify.
• Reorganises main signature of ValidateAndReplacePassword to oldkey params / new key params and a simplified overload for basic replace (non enhanced).
• Adds tests.
• Stop EnhancedHashPassword being used with HashType.None

• Enhanced entropy defaults to SHA384 which is base64 encoded.
• You can change the hmac choice to (SHA256. SHA384, SHA512) which are all base64 encoded or Legacy384 which is SHA384 sans base64 encoding.
• HashString marked obsolete; time for it to go as its nothing but a pointer to hashpassword.

• Enhanced entropy defaults to Legacy384 which is basically the way it operated prior to this version anyway this will be maintained for v2.
• Default rounds raised to 11 (in keeping with other frameworks/languages)
• Add target for 4.7.2
• Reduce regex timeout to 30ms from 300

https://github.com/BcryptNet/bcrypt.net/compare/2.1.1...62a57cd

• Netstandard v2
• Correct typos
• Documentation updates (mostly typo related)
• Csproj changes.

Deployment made for typos/netstandard.

• Adds enhanced mode; enhanced hashing allows you to opt-in to ensuring optimal entropy on your users passwords by first making use of the fast SHA384 algorithm before BCrypt hashes the password.
• Added Hash interrogation to allow a hash to be passed in and its component parts be returned.
• Added timeouts to regex and set compiler flags for msbuild so < .net 4.5 (where timeouts were added to regex) we use old regex method.
• Alter safe equals from ceq/and to xor/and/ceq moving the check outside of the loop to mitigate against branch prediction causing a timing leak
• Add new method PasswordNeedsReshash(string hash, int newMinimumWorkLoad) as a helper method for developers to use when logging a user in to increase legacy workloads
• Add ValidateAndReplacePassword method to allow inline password validation and replacement. Throws BcryptAuthenticationException in the event of authentication failure.
• Cleaned up xml-doc for intellisense
• Increased compatibility by allowing BCrypt revisions from other frameworks/languages to be validated and generated whilst maintaining compatibility.
• VS2017 RTW changes

• Corrects usage of Secure random number generator
• Change UTF8 handling to safer default (throwOnInvalidBytes: true)
  • .NET Encoding.UTF8 encoding instance does not raise exceptions used to encode bytes which cannot represent a valid encoding & will return the same 'unknown' character instead. This can cause entropy loss when converting from bytes to strings.
• Change secure equals to match .net identity implementation
• Inline vars in encipher method

Fresh release packaged for the majority of .net & containing safe-equals to reduce the risks from timing attacks https://en.wikipedia.org/wiki/Timing_attack / https://cryptocoding.net/index.php/Coding_rules#Compare_secret_strings_in_constant_time
Technically the implementation details of BCrypt theoretically mitigate against a timing attacks. But the Bcrypt.net official validation function was vulerable to timing attacks as it returned as soon as a non-matching byte was found in the hash comparison..

https://www.nuget.org/packages/BCrypt.Net-Next/2.0.0