With PowerShell we can encrypt a password with our own encryption key. In this case, we will generate either a 128-bit or 256-bit key from PBKDF2 and encrypt a secure string.
Encrypt Password using PBKDF2 and PowerShell |
Output
PBKDF2 is used in WPA-2 and TrueCrypt. Its main focus is to produced a hashed version of a password, and includes a salt to reduce the opportunity for a rainbow table attack. It generally uses over 1,000 iterations in order to slow down the creation of the hash, so that it can overcome brute force attacks. The generalise format for PBKDF2 is:
DK = PBKDF2(Password, Salt, Miterations, dkLen)
Where Password is the pass phrase, Salt is the salt, Miterations is the number of iterations, and dklen is the length of the derived hash.
WPA-2
The IEEE 802.11i standard defines that the pre-shared key is defined by:
PSK = PBKDF2(PassPhrase, ssid, ssidLength, 4096, 256)
Presentation
Explanation
In TrueCrypt we use PBKDF2 to generate the key (with salt) and which will decrypt the header, and reveal the keys which have been used to encrypt the disk (using AES, 3DES or Twofish):
We use:
byte[] result = passwordDerive.GenerateDerivedKey(16, ASCIIEncoding.UTF8.GetBytes(message), salt, 1000);
which has a key length of 16 bytes (128 bits - dklen), uses a salt byte array, and 1000 iterations of the hash (Miterations). You should find that the resulting hash value will have 32 hexadecimal characters (16 bytes).
Coding
The following is the coding:
$password =$Args[0] $salt = $Args[1] $iterations = [int]$Args[2] $hash = $Args[3] $size=$Args[4] $saltBytes = [Text.Encoding]::UTF8.GetBytes($salt) $keyder=[Security.Cryptography.Rfc2898DeriveBytes]::Pbkdf2($password,$saltBytes,$iterations,$hash,$size) "Password: "+$password "Salt: "+$salt "Iterations: "+$iterations "Hash method: "+$hash "Size: "+$size "`nKey derivation (Hex): "+[System.Convert]::ToHexString($keyder) "Key derivation (Hex): "+[System.Convert]::ToBase64String($keyder) $SecureString = ConvertTo-SecureString -String $password -AsPlainText -Force $SecureStringVal = ConvertFrom-SecureString -SecureString $SecureString $EncryptedPW = ConvertFrom-SecureString $SecureString -Key $keyder "Secure string: "+$SecureStringVal "Encrypted password: "+$EncryptedPW $EncryptedPW1 = ConvertTo-SecureString -String $EncryptedPW -Key $keyder $pass = ConvertFrom-SecureString -SecureString $EncryptedPW1 -AsPlainText "Decrypted Password: "+$pass
A sample run shows:
Password: qwerty Salt: test Iterations: 500 Hash method: SHA256 Size: 32 Key derivation (Hex): 21B10ED2B006D1F0826B4A2E3A16841D614ACCE155F77FFA2B17A0C1E48F92D8 Key derivation (Hex): IbEO0rAG0fCCa0ouOhaEHWFKzOFV93/6KxegweSPktg= Secure string: 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d1632283ab62d548af37fa9aaf5e7d3e00000000020000000000106600000001000020000000531ee2f83b547fd5f7642bbc603de980a4969233f79a1f1869d0122de390b158000000000e8000000002000020000000df47b0ca5242c289bdb75696dedeb549c58eb3c1fb2327693b4ddccd04791c7710000000203bda1f0b836e647640b5d6619b3b2040000000b76dd6a773c15ce9378c2451559ad5532cef403336511702b29be4d6433d17bb77fcf30d1ce50f9855e86ee175aeb1769b1cbd82142f648de1bf5e1b0c19f2ee Encrypted password: 76492d1116743f0423413b16050a5345MgB8AEwAZQBaAHoAYwBrAG8AWQByAGQAMgBZAGcAbwBHAG8ARgA5AEgASgB6AFEAPQA9AHwAMgA0ADIAYQBmADIAOQBkAGQAMAAwADIANgBmAGIAMQBmADkAMQA0AGEAMwBmADAAZABhADYANwA5AGUAOABkAA== Decrypted Password: qwerty