1

I have asked a similar question in post Encrypting a file with RSA in Python , but this question has a different connotation.

I am encrypting a file with AES, using RSA to encrypt the AES password.

The only difference is that i really DON'T want to store the AES password. The user must give both the path to his RSA key, and the password.

So what do you think about this scheme?

path_to_RSA_key = ... # Given by the user
pwd = ... # This will be used to encrypt the file. Also given by user.

rsa_enc = RSA.importKey(path_to_RSA_key)
# Encrypt the Password with RSA, keep the last 32 characters
rsa_pwd = rsa_enc.encrypt(pwd)[-32:]
# Aes, with the encrypted password
aes_enc = AES.new(rsa_pwd, AES.MODE_CBC)

# Encrypt the file with AES...
# Store only the encrypted file
# Don't store the password in any way, don't store the path to RSA key

The alternative would be the classic scheme, when you generate a random password, encrypt the file with AES using the random pass, encrypt the random pwd with RSA and store only the encrypted results.

If you really need to know why i need this, it's a project of mine, http://code.google.com/p/scrambled-egg

What do you think about the scheme ? Thank you in advance !

Community
  • 1
  • 1
Cristi Constantin
  • 554
  • 1
  • 6
  • 19
  • 1
    It looks like you are using RSA as an ad-hoc password hashing algorithm. I don't think that buys you anything. You might google for password-based encryption (PBE) and PKCS#5 to look at more standard schemes before you commit to yours. – President James K. Polk Jun 17 '11 at 11:25
  • One problem with this scheme is that encryption with public-key algorithms requires only the public-key. If you want only the private key to be able to encrypt, you'd need to do a sign, not an encrypt. If you are storing half of the key on disk anyway, you could store an encrypted AES key and use the password to decrypt that key, but as GregS says, pasword-based encryption makes more sense in this case. – 101100 Jun 24 '11 at 07:04
  • @101100: and @GregS: Thank you for your answers! You can encrypt with the Public or the Private key the same, PyCrypto generates the public key from the private one. I also checked PKCS#5, I will see how I implement this. – Cristi Constantin Jun 29 '11 at 19:25

1 Answers1

1

There seems to be some confusion. You mention that you don't want to store the 'password', but you're working with RSA and not a symmetric algorithm. The term 'password' strongly implies a shared secret as used in symmetric encryption, and it appears that you're trying really hard to fit RSA into the mould you've created.

The issue I see is that this functionality may not fit into your planned use very well. Your plan seems focused on symmetric ciphers. Further, using asymmetric keys this way may be a problem. I think asymmetric encryption is used to encrypt nonces for a reason; it may not be robust to attacks that can be waged against a scheme like the one you propose.

Asymmetric keys are often used as follows:

  1. Generate a purely random 32-'character' key and call it "nonce".
  2. Encrypt the message with the "nonce" and call it ciphertext.
  3. Encrypt the "nonce" with your asymmetric key (presumably the public key, but you should specify).
  4. The result consists of the ciphertext and the asymmetrically encrypted "nonce".

Decrypting requires only the paired opposite of the asymmetric key used to encrypt.

If you're hardcore, you could encrypt (using AES + a password or similar) the public or private key that can be used to decrypt the nonce and send it along for a ride too. Sadly that isn't really increasing security over AES+password, and you are increasing the bloat in your message by a lot.

Slartibartfast
  • 1,694
  • 9
  • 8