c# - What does the output of Rfc2898DeriveBytes depend on and how should the salt be treated? -

public string encrypt(string code) {     string result = string.empty;     byte[] encryptresult = null;     var codeinbyte = encoding.ascii.getbytes(code);      try     {         using (memorystream memo = new memorystream())         {             using (rijndaelmanaged aes = new rijndaelmanaged())             {                 aes.keysize = keysize;                 aes.blocksize = blocksize;                  var key = new rfc2898derivebytes(codeinbyte, salt, 1000);                 aes.key = key.getbytes(aes.keysize / 8);                 aes.iv = key.getbytes(aes.blocksize / 8);                  aes.mode = ciphermode.cbc;                  using (var encrypt = new cryptostream(memo, aes.createencryptor(), cryptostreammode.write))                 {                     encrypt.write(codeinbyte, 0, codeinbyte.length);                     encrypt.close();                 }                  encryptresult = memo.toarray();             }         }          result = convert.tobase64string(encryptresult);         return result;     }     catch (exception err)     {         msgcode = 99;         msgdesc = err.message;         return string.empty;     }             } 

it's simple aes encrypting method string

the point want ask, when generating key, at

var key = new rfc2898derivebytes(codeinbyte, salt, 1000); 

is key generated inputted string, or it's random generated byte array?

and, salt needs static or not

as documentation on msdn suggests:

rfc2898derivebytes takes password, salt, , iteration count, , generates keys through calls getbytes method.

in other words, derive bytes using input parameters give it. if give different parameters, derived key different. if give same parameters, generate same bytes.

symmetrical encryption algorithms (such aes) require fixed length key - 16 bytes in case aes128. however, don't want mandate passwords fixed length makes them easier attack. might want longer keys feasible password - aes256 require 32byte key, example. finally, passwords tend alphanumeric , perhaps have symbols, whereas encryption key made of bytes can range 0x00-0xff, if made encryption key 32 character ascii password, you'd reduce range quite considerably printable ascii character range smaller 0x00-0xff.

for reason, want derive encryption key given password in such way strong key of exact length require. that's rfc2898derivebytes comes in.