Preferred BCrypt.Net implementation

Asked 8/4, 2011 at 20:39 Answered 14/2, 2013 at 23:17

There are a few different ports of BCrypt.net out there and it's very hard to tell which is the "best".

Has anyone taken the time to review them and come to any conclusion as to which project to patronize? I'm most interested in which has the most active community of developers. Of course feature set, effectiveness, simplicity and documentation are nice too :)

Here is the list of BCrypt.Net implementations I was able to track down:

Derek Slager

As far as I can tell, this is the first port and has not been updated in a while. Version 0.1

Google Code

The user posted Derek Slager's copy to google code and made some improvements. Version 0.3

NuGet

Visual studio's only NuGet version, it's a compiled copy with no source so I can't know anything about it for sure. It does appear to support a new function only available in the Version 0.3 Google Code edition. It lists no support site and I can't tell if it's open source and has no attribution of any kind (A bit sketchy). Version 1.0, 213 downloads.

Code Plex

This seems to be a completely independent port with no relation to Derek Slager's port. It appears to have some semi-regular updates. Version R5, 140 downloads.

Is this list complete? Is there any reason to pick one over the other?

Jeffjeffcoat answered 8/4, 2011 at 20:39 Comment(0)

Initially reviewed these in Feb 2013, updated with info from the comments by Justin and Coulton, and to reflect my current use.

The more recent of these appear to be secure, or at least "without known bugs". (There are other weaknesses in bcrypt but they are algorithmic rather than code-related. I assume that if you are using bcrypt you already know about those.)

The libraries listed in the question are all based on the jBCrypt code (except maybe CryptSharp, no idea there), which received bug fixes in Feb 2010 to fix the "weak entropy" security advisory. (http://www.mindrot.org/files/jBCrypt/internat.adv)

Breakdown:

The Codeplex port of BCrypt was started in late 2010 (checking in Dec), and was updated to more recent sources in 2013. It is almost certainly safe, and available on NuGet (https://www.nuget.org/packages/BCrypt-Official/).
CryptSharp (http://www.zer7.com/software/cryptsharp) is a living, supported project that looks very well done, but I have not evaluated it in depth. Definitely worth checking out. Also available on NuGet (http://www.nuget.org/packages/CryptSharpOfficial/).
The Google Code version changelog indicates that it incorporates the Feb 2010 `jBCrypt` bug fixes. But that's kind of ancient and dead.
Derek Slager's 2007 port probably does **not** have these fixes, I think you should avoid it.

Rough timeline, based on from the revision control change logs:

Derek Slager made a port of jBCrypt in 2007
This was imported into Google Code and updated somewhat in Oct 2010.
The Codeplex code by Ryan D. Emerle started with a later version of jBCrypt as its source (late 2010). This import is dated *after* the last change to Google Code's version. This was updated to the latest source in Nov 2013.
CryptSharp was initially released in Nov 2010, with regular releases through the present (Dec 2014). Written from scratch??

I am currently using the Codeplex version, as it appears to be maintained, and comes up early in the google search results.

On the 2011 crypt_blowfish bug: (j)BCrypt.net is a stand-alone implementation of the algorithm, and does not depend on the unix crypt_blowfish library. So it should not be affected at all. It's overdue for a rewrite to support $2y$ format, though.

Superincumbent answered 14/2, 2013 at 23:17 Comment(2)

The implementation on CodePlex is also hosted on NuGet since June 2011, and was updated to the latest source in Nov 2013. – Gine 25/3, 2014 at 14:14

I'd check out CryptSharp... it looks as though it's up to date and has compatibility with $2y$ hashes and also backwards compatibility with the older versions to simulate the known bug in Blowfish. – Anticathexis 18/9, 2014 at 8:46

Unfortunately, as of 2012 Oct 4, I'd say none of the algorithms listed above is sufficient. Per this article (http://en.wikipedia.org/wiki/Crypt_(Unix)), there was a flaw discovered in the algorithm in 2011. A correct bcrypt hash should now begin with $2y$ instead of $2a$. I am still looking for an algorithm myself.

Fontenot answered 4/10, 2012 at 19:2 Comment(3)

Thanks @Rob Kraft, this is exactly why I love SO: Answers get updated. Please let me know if you find a better implementation – Jeffjeffcoat 9/10, 2012 at 23:7

I found this NUGET library: Cryptsharp and it certainly appears to be able to verify hashes starting with $2y$ – Anticathexis 17/9, 2014 at 15:15

I blogged about the implementation I found and used here: csharpdeveloper.wordpress.com/2012/10/09/… – Fontenot 18/9, 2014 at 23:47

To be honest, I've used two of the three that you listed and I found no difference other than method names. It seems they do the same thing.

I preferred using the NuGet package because it was simpler to integrate with existing projects. I even wrote a small article on how to accomplish this with the NuGet package manager.

http://sergiotapia.com/2011/03/using-bcrypt-in-a-net-application-why-its-better-than-sha-or-md5/

Curiosity answered 11/4, 2011 at 18:58 Comment(2)

Nice blog post and I'm using NuGet as well. I'm going to wait to accept an answer, though. I'm hoping someone has done the analysis. – Jeffjeffcoat 14/4, 2011 at 17:14

That link is now dead. Any other sources? – Granniah 24/9, 2013 at 13:47

Recommended topics

Hot tags