The data protection code base includes a package Microsoft.AspNetCore.Cryptography.KeyDerivation which contains cryptographic key derivation functions. This package is a standalone component and has no dependencies on the rest of the data protection system. It can be used completely independently. The source exists alongside the data protection code base as a convenience.
The package currently offers a method KeyDerivation.Pbkdf2 which allows hashing a password using the PBKDF2 algorithm. This API is very similar to the .NET Framework's existing Rfc2898DeriveBytes type, but there are three important distinctions:
- The
KeyDerivation.Pbkdf2method supports consuming multiple PRFs (currentlyHMACSHA1,HMACSHA256, andHMACSHA512), whereas theRfc2898DeriveBytestype only supportsHMACSHA1. - The
KeyDerivation.Pbkdf2method detects the current operating system and attempts to choose the most optimized implementation of the routine, providing much better performance in certain cases. (On Windows 8, it offers around 10x the throughput ofRfc2898DeriveBytes.) - The
KeyDerivation.Pbkdf2method requires the caller to specify all parameters (salt, PRF, and iteration count). TheRfc2898DeriveBytestype provides default values for these.
password-hashing/samples/passwordhasher.cs
See the source code for ASP.NET Core Identity's PasswordHasher type for a real-world use case.