AES algorithm in C# - Totally confused over now

Question

I initially scavenged(Google,SO,Bing) for a working code showing how to encrypt and decrypt password's using the AES algorithm available in .NET using c#. My doubts arise from these two posts

1. http://yossi-yakubov.blogspot.in/2010/07/aes-encryption-using-c-short-way.html

2. http://msdn.microsoft.com/en-us/library/system.security.cryptography.rijndaelmanaged.aspx

in #1 he shows that everything could be done using the CryptoTransform but the MSDN page sample shows use of complex streams.

• Do i need to do that?

• What benefits do i have one over the other?

• Could someone clarify which is best code i need to follow and any caveats in other methods.

adding to the confusion this post talks about salt's in encryption , now i am totally lost.Why should salt's be present in encryption rather than HASHING.

Answer 1

Both approaches work, but I would say that the method used in the first of your links is best for "small" amounts of data, where the data can fit reasonably within the input byte[] (e.g. keys, passwords etc.).

The method from the second link is better suited to "large" amounts of data, where loading the entire input into memory may be infeasible, and a streaming approach is more suitable (e.g. encrypting a file or data on a network stream).

Given your needs, the method from the first link is probably appropriate.

As for the mention of a salt in your final link, this is only being used to seed PasswordDeriveBytes, and is not directly related to the AES algorithm itself.

It is worth mentioning however that there is a "salt" of sorts for AES as well in the form of the IV (initialization vector). This is simply random data (which should be different every time), that can be stored alongside the ciphertext, and ensures that even when encrypting the same data multiple times, the output is different.

With this in mind, the method shown in the final link should not be used, as it appears to produce the same output every time, because both the key and the IV are generated entirely from the password entered, whereas the IV should instead be random bytes.