Geek Answers Handbook

Using a password hash to encrypt a private key

I am developing a web application in which I need to encrypt sensitive information. My plan is to use AES-256, where the private key is encrypted with the user's password hash. I need to save a password hash for authentication purposes, but obviously it cannot be used to encrypt the private key. My current thought is to use bcrypt to generate the key, which will be used to encrypt the private key. For authentication, my thought was to simply hash the password using bcrypt, and then the hash that the hash uses bcrypt again, and then store that hash in the database. Since this is one way, don't you need to use a stored hash to decrypt the private key? Are there any obvious security issues when doing this that I can skip?

My other thought was to use two different encryption algorithms, such as using the bcrypt hash to encrypt the private key and storing the SHA-2 hash for authentication purposes.

Thank you for your help.

+4
source share
3 answers

Do not use hash to encrypt AES password. salted hash should only be used for authentication. when the user logs in, you have your password. use this password to encrypt (first time) and decrypt (later) the AES key, and then forget the password.

+2
source

In this situation, I recommend using PBKDF2 . You can use two different salts: one that will output the symmetric key, and the other that will display the password hash. The salt should contain a deterministic part that distinguishes two different use cases, as well as a random part - cf. this comment:

Otherwise, the salt should contain data that clearly distinguishes between different operations and another key of length, in addition to the random part, which is at least eight octets long, and this data must be checked or regenerated the party receives the salt. For example, a salt may have an additional nonrandom octet that defines the purpose of the derived key. Alternatively, it can be an encoding structure that sets up detailed information about a key, such as an encryption or authentication method, and a sequence number between different keys obtained from a password. The specific format of the additional data remains to the application.

Simple, salty SHA-2 is probably not enough due to the poor entropy of typical passwords, as mentioned in the comments.

+2
source

Suggestion: use two different salts. When the user enters his password, connect it to a random salt and hash for the password recognition procedure. Use a different salt and hash again for the AES encryption key. Depending on how secure you want, you can also stretch the hash.

Effectively you have:

storedPasswordCheck = SHA256(password + salt1); AESkey = SHA256(password + salt2);

AES keys, of course, are not saved, but if necessary, are restored from the user's password. You will need two separate salts, each with at least 128 bits, each of which is stored for each user.

+1
source

More articles:


All Articles