He can hash each and compare it to the hash of his victim's password, and see if it matches. Suppose an attacker has a list of likely passwords. Salt helps to thwart pre-computed dictionary attacks. But it would serve to let a legitimate recipient know that the wrong password was used for decryption. A hash collision on a password is more likely to be useful to an attacker a hash collision on the content is likely to be worthless. Regarding your desire to store a hash of the password, if you use PBKDF2 to generate the key, you could use a standard password hashing algorithm (big salt, a thousand rounds of hashing) for that, and get different values.Īlternatively, you could compute a MAC on the content. This will require some study on your part, but again there are existing libraries to use, and it opens up the possibility of inter-operating more smoothly with other software, like S/MIME-enabled mail clients. You might also consider using the Cryptographic Message Syntax as a format for your file. You should be able to find an open-source library that implements PBE key generators for different algorithms. It's similar to the algorithm you outline, but is capable of generating longer symmetric keys for use with AES. I would recommend using a recognized algorithm such as PBKDF2 defined in PKCS #5 version 2.0 to generate a key from your password. at work) and be able to migrate/move the data by simply copying the file (so I can use it at home, on different workstations, etc.). But I'd like to deploy it in a shared environment on computers I don't fully control (e.g. Thus, password-based key derivation as defined here is a function of a password, a salt, and an iteration count, where the latter two quantities need not be kept secret.ĭoes this mean that I could store the salt value in the same place/file as the hashed key and still be more secure than if I used no salt at all when hashing? How does that work?Ī little more context: the encrypted file isn't meant to be shared with or decrypted by others, it's really single-user data. For example, this spec linked by erickson (below) says: I thought the salt had to be kept secret to be useful, but your answers and links imply this is not the case. So is this design reasonably secure, or hopelessly naive, or somewhere in between? Thanks!ĮDIT: clarification and follow-up question re: Salt. That way, I can take the file to another PC and decrypt it by simply entering my password. So I hash it again, basically treating it just like another password, and save the doubly-hashed value in the data file. But since I use the hashed user password for the symmetric encryption key, I can't use the same value for authentication. "HashedUserPwdAndKey" -> "HashedValueForAuthentication"īasically I'm extrapolating from the common way to implement web-site passwords (when you're not using OpenID, that is), which is to store the (salted) hash of the user's password in your DB and never save the actual password. the unencrypted part of the data file) and uses that value to validate the user's password. Step 3: App hashes the hashed value from step 2 and saves the new value in the data file header (i.e."MyDifficultPassword" -> "HashedUserPwdAndKey". Step 2: App hashes the user-password and uses that value as the symmetric key to encrypt/decrypt the data file.Step 1: User enters plain-text password, e.g.So tell me: is this crazy? Is there a better/best way to do it? I have a strategy that appears workable and seems logical based on what I know (which is probably just enough to be dangerous), but I have no idea if it's actually a good design or not. I want the encrypted data file to be self-contained and portable, so the authentication has to be embedded in the file (or so I assume). one must enter the correct password to decrypt). I'm writing a little desktop app that should be able to encrypt a data file and protect it with a password (i.e.
0 Comments
Leave a Reply. |