DataHandler.SaltAndHashing

Handles the Salting and Hashing of Data

Types

PasswordCheckData

Holds the salt and hash produced when generating a password hash.

  • Fields:
    • string SaltKey (get/set): Base64-encoded salt.
    • string HashKey (get/set): Base64-encoded hash.
  • Constructor:
    PasswordCheckData(string saltKey, string hashKey)
    Initializes both fields.

PasswordHandler

Provides methods to generate and validate password hashes using Argon2id with a cryptographically secure salt.

Methods

GeneratePasswordHashAsync(SecureData password, int iterations = 4, int saltByteSize = 64, int hashByteSize = 128)

Creates a new random salt and computes an Argon2id hash of the given password.

  • Parameters:
    • password: The user’s password as a SecureData.
    • iterations: Number of Argon2id iterations (default: 4).
    • saltByteSize: Length in bytes of the random salt (default: 64).
    • hashByteSize: Desired length in bytes of the hash output (default: 128).
  • Returns: Task containing Base64-encoded SaltKey and HashKey.

ValidatePasswordAsync(SecureData password, PasswordCheckData passValues, int iterations = 4, int hashByteSize = 128)

Verifies a password by re-computing its Argon2id hash with the stored salt and comparing securely using constant-time equality.

  • Parameters:
    • password: The password to validate as a SecureData.
    • passValues: The stored SaltKey and HashKey.
    • iterations: Argon2id iteration count used during generation (default: 4).
    • hashByteSize: Length in bytes of the expected hash (default: 128).
  • Returns: Task — true if the password is correct.

Argon2_GetHashAsync(SecureData password, byte[] salt, int iterations, int hashByteSize)

Internal helper that runs Argon2id on a background thread to produce a raw hash byte array.

  • Returns: Task<byte[]> — The raw hash bytes.

SlowEquals(byte[] a, byte[] b)

Performs a constant-time comparison between two byte arrays to prevent timing attacks.

  • Returns: bool — true if arrays are identical in length and contents.

Notes

  • Uses BouncyCastle’s SecureRandom for strong, cryptographically secure salt generation.
  • Fixed Argon2id parameters: 8 MiB memory, 1 thread, configurable iterations.
  • All heavy work is offloaded via Task.Run — safe for UI threads.
  • Always use SecureData to minimize plaintext exposure in memory.
  • Comparison is fully timing-attack resistant.