Change the master password used for encryption

Question

Change the master password used for encryption

I want to store some encrypted data, for example, as a password manager, where your main password opens all the basic passwords of applications / sites.

Looking around, I found a few examples, such as, but they seem to use a password as part of the encryption, like salt in a hash. This means that you need the same password for decryption, so you can never change the password. This does not seem great in terms of security / usability; if the PW gets compromised, you will have to redo the entire database under another PW.

How can you create a system in which you can change the master password? Do you do a simple registration check and then use the string to encrypt / decrypt? Is the static nature and storage of this string unsafe?

I know some PHP and smidge from Javascript, so if you have examples in those languages that would be good, but a more general high-level explanation is also very much appreciated.

+6

javascript security php password-encryption encryption

PixelSnader Jul 21 '17 at 8:51

source share

3 answers

Scott Arciszewski · Answer 1 · 2017-12-29T23:03:55+0000

There are several approaches that work. Jannes answer refers to a workable solution (although beware of vulnerabilities inopenssl_private_decrypt() ).

Defuse Security PHP encryption library, , , . ( , " " .)

: https://github.com/defuse/php-encryption/blob/master/docs/classes/KeyProtectedByPassword.md

, ?

- :

. secret.
( ). passwordKey.
- Argon2id(password, salt) = > passwordKey
secret passwordKey, AEAD .
- $saved = $salt . $nonce . sodium_crypto_secretbox($secret, $nonce, $passwordKey);
secret, passwordKey.

, 2 3 ( ).

Argon2id sodium_crypto_pwhash() PHP 7.2 .

Jannes Botis · Answer 2 · 2017-07-21T15:07:07+0000

, , .

: 1) rsa ( Ubuntu):

openssl genrsa -des3 -out private.key 1024
openssl rsa -in private.key -pubout > public.key

2) :

$key = file_get_contents('/path/to/public.key');
openssl_public_encrypt("password", $encryptedData, $key);

$encryptedData ( , $encryptedData , , - ).

3) , :

$key = openssl_pkey_get_private(file_get_contents('/path/to/private.key'), $password);

if($key === false) {
    // false password
    die;
}
openssl_private_decrypt($encryptedData, $decryptedData, $key);

4) :

openssl rsa -des3 -in private.key -out private.key

2 :

, .
.

.

( php , ), , .

jas- · Answer 3 · 2017-12-29T23:12:50+0000

GPG?

http://php.net/manual/en/ref.gnupg.php

libsoduim PECL

https://pecl.php.net/package/libsodium

, .

Change the master password used for encryption

More articles: