开发者

Encryption: do I need to salt the key when not even storing it at all?

I searched all over the Net, including here on SO: There is a lot of discussion on the need to 开发者_Go百科salt passwords before hashing and storing them.

In case the password is used to compute a key used for encryption ("Password Based Encryption"): what if you do not store the password at al?

  • [Note: I did read SO: Passphrase, Salt and IV, do I need all of these? and Does IV work like salt are certainly a related question: I am not sure how the Initialization Vector discussed there relates to the question here]

Suppose:

For encryption

  1. the users enters a master password
  2. this is SHA256 hashed and the output is used to AES256 encrypt a file
  3. the hash is not stored (and obviously neither is the master password)

For decryption

  1. The users enters the master password
  2. This is SHA256 hashed and the output is used to decrypt the file
  3. If the decryption was successful, the password was - apparently - correct

My question:

When not storing anything except the encrypted file itself, is there any benefit in salting the master password before hashing it?

Considerations:

  • it would probably reduce the likelihood of a hash-collision
  • it would require the salt to be stored.
  • if the salt were lost/corrupted the user would not be able to decrypt the file anymore

  • how to check for successful decryption in step3: does this require part of the file contents to be known?

  • if so, how much of a faux-pas is storing a known value in an encrypted file (this cannot always be prevented - an attacker might guess that for example the users last name is encrypted somewhere in the file - an be correct).


If you are not storing the master password then there is no need to salt it. If you are reusing the master password to generate a lot of single-use passwords then it will need to be stored encrypted and decrypted as required.

Salting is for long term storing of user passwords that have to be matched more than once so that people with the same password don't have the same hash, which would help an attacker who stole the file.

Salt is for hashing in long term storage, an IV is for encryption using CBC mode (or CTR mode where it can also be called a nonce).

As to checking that your file has decrypted correctly, just ensure that you use a padding like PKCS7. When the last block is decrypted the padding will be checked to ensure it is in the right format. If the decryption failed then the padding will not be correctly formatted and you should get a "Padding failed" error.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜