3

I'm developing simple software that does aes256-cbc encryption of a file. I'm using GNU/Linux and libgcrypt-1.5.0. The IV is randomly generated with the OpenSSL rand function and the IV is stored before the ciphertext in the output file. I'm using the PKCS#7 padding method.

Now I am in doubt about how to proceed:

  1. It is better to use sha256 repeated 50,000 times of the inputed password to encrypt the file, or it is better to use the password given by the user?

  2. If I want to check the correctness of the inputed password, I have to store it into the encrypted file (obviously encrypted). Is it correct to do this?

Daniel Roethlisberger
  • 6,958
  • 2
  • 41
  • 59
polslinux
  • 1,739
  • 9
  • 34
  • 73
  • This question appears to belong on another site in the Stack Exchange network because its not about programming or development. Perhaps you should try [Information Security Stack Exchange](http://security.stackexchange.com/). – jww Mar 04 '15 at 01:44

3 Answers3

3
  1. Neither choice is correct. You need to use an algorithm made for deriving a key from a password, like PBKDF2. See the function gcry_kdf_derive.
indiv
  • 17,306
  • 6
  • 61
  • 82
3
  1. Use PBKDF2 to derive a key as indiv suggested.
  2. Use PBKDF2 with a different salt to derive an authentication key and append a MAC to your encrypted data (after encryption is more secure than before encryption). Verify the MAC in order to check whether the password is correct or not, and that the data has not been tampered with. If you are unsure when choosing a MAC, use HMAC with SHA-512 (assuming you are using AES-256 as per your question).

Instead of using PBKDF2 twice with different paddings, you can use a single invocation of PBKDF2 to generate both the encryption and the authentication keys at the same time, by generating a key of the combined size of your encryption key and authentication key in one go.

Note that depending on the padding for deciding whether the key was good can result in CBC padding oracle attacks. For file encryption such attacks might not be applicable, depending on the exact circumstances, but it seems prudent practice to use a proper MAC for data authentication anyway, since you also want to prevent bit flipping attacks and other malicious modifications to your data.

Daniel Roethlisberger
  • 6,958
  • 2
  • 41
  • 59
  • Thanks to all for the answer! So the structure of the encrypted file will be: IV (not encrypted)- ciphertext - MAC (not encrypted), right? – polslinux Jan 27 '13 at 17:05
  • 2
    Exactly, and you calculate the MAC over both IV and ciphertext to also protect against attacks which tamper with the IV. – Daniel Roethlisberger Jan 27 '13 at 17:06
  • You could have edited indiv's answer instead. Executing PBKDF2 twice is pretty expensive, you could use a KBKDF function on the output instead (but this may be more tricky to implement). – Maarten Bodewes Jan 27 '13 at 17:27
  • 1
    @owlstead I didn't want to vandalize indiv's previous suggestion for "2." which he edited away in the meantime along with comments he deleted. I agree with your other point. – Daniel Roethlisberger Jan 27 '13 at 17:31
  • @DanielRoethlisberger so if i have an input key K what i have to do is: 1) derive it with a PBKDF2 function using sha512; 2) compute the hmac of iv+ciphertext using the derived key; Is it ok? – polslinux Jan 27 '13 at 22:49
  • @polslinux Not sure if I understand your question. You should use separate derived keys for encryption and authentication. However, you can use a single invocation of PBKDF2 to generate both keys at the same time, by generating a key of the combined size of your encryption key and authentication key in one go. – Daniel Roethlisberger Jan 27 '13 at 23:17
  • @DanielRoethlisberger i'm talking about implementation :) what i haven't understand is how to proceed! The function `gcry_kdf_derive` need `subalgo` as parameter where `subalgo` is an hash algorithm! So i have to compute K1 with a salt S1 and sha512, K2 with a salt S2 and sha512 right? Then i use K1 to encrypt the message and K2 to calculate the hmac of the IV+ciphertext, right? – polslinux Jan 28 '13 at 07:54
  • @indiv Sorry for making it sound like if you wanted to hide something, that's not what I wanted to say. I edited the comment into my answer as per your suggestion, thanks! – Daniel Roethlisberger Jan 28 '13 at 13:08
  • 2
    @polslinux Yes, that's the most straightforward way to implement it. However, you can calculate K1 + K2 at the same time with only a single salt and single call to `gcry_kdf_derive` by calculating K3 with the combined length of K1 and K2 instead, and then splitting K3 into K1 and K2. – Daniel Roethlisberger Jan 28 '13 at 13:11
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/23508/discussion-between-polslinux-and-daniel-roethlisberger) – polslinux Jan 28 '13 at 14:11
0

1.It is better to use sha256 repeated 50,000 times of the inputed password to encrypt the file, or it is better to use the password given by the user?

You never use the "raw" password directly as a key. The key needs to be strectched in something hardened against brute forcing attacks. Look at the String-to-Key (S2K) stuff, or a Password Based Key Derivation Function (PBKDF) with a memory-hard hash like scrypt.

2.If I want to check the correctness of the inputed password, I have to store it into the encrypted file (obviously encrypted). Is it correct to do this?

No. You use an authenticated encryption mode like GCM. Authenticated encryption modes are specially built for the task and provide both confidentiality and authenticity.

Under the password, the encrypted file will verify or it won't. Don't concern yourself with the reason why. Otherwise, you're setting up an oracle which may undo everything from Step 1 (which may or may not be applicable here).

jww
  • 97,681
  • 90
  • 411
  • 885