Which of these encryption methods is more secure? Why?

StackOverflow https://stackoverflow.com/questions/19846172

Question

I am writing a program that takes a passphrase from the user and then writes some encrypted data to file. The method that I have come up with so far is as follows:

  • Generate a 128-bit IV from hashing the filename and the system time, and write this to the beginning of the file.
  • Generate a 256-bit key from the passphrase using SHA256.
  • Encrypt the data (beginning with a 32-bit static signature) with this key using AES in CBC mode, and write it to file.

When decrypting, the IV is read, and then the passphrase used to generate the key in the same way, and the first 32-bits are compared against what the signature should be in order to tell if the key is valid.

However I was looking at the AES example provided in PolarSSL (the library I am using to do the hashing and encryption), and they use a much more complex method:

  • Generate a 128-bit IV from hashing the filename and file size, and write this to the beginning of the file.
  • Generate a 256-bit key from hashing (SHA256) the passphrase and the IV together 8192 times.
  • Initialize the HMAC with this key.
  • Encrypt the data with this key using AES in CBC mode, and write it to file, while updating the HMAC with each encrypted block.
  • Write the HMAC to the end of the file.

I get the impression that the second method is more secure, but I don't have enough knowledge to back that up, other than that it looks more complicated.

  • If it is more secure, what are the reasons for this?
  • Is appending an HMAC to the end of the file more secure than having a signature at the beginning of the encrypted data?
  • Does hashing 8192 times increase the security?

Note: This is an open source project so whatever method I use, it will be freely available to anyone.

Was it helpful?

Solution

The second option is more secure.

Your method, does not provide any message integrity. This means that an attacker can modify parts of the ciphertext and alter what the plain text decrypts to. So long as they don't modify anything that will alter your 32-bit static signature then you'll trust it. The HMAC on the second method provides message integrity.

By hashing the key 8192 times it adds extra computational steps for someone to try and bruteforce the key. Assume a user will pick a dictionary based password. With your method an attacker must perform SHA256(someguess) and then try and decrypt. However, with the PolarSSL version, they will have to calculate SHA256(SHA256(SHA256...(SHA256(someguess))) for 8192 times. This will only slow an attacker down, but it might be enough (for now).

For what it's worth, please use an existing library. Cryptography is hard and is prone to subtle mistakes.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top