AES Encryption Using Crypto++ password to compare

StackOverflow https://stackoverflow.com/questions/23691279

  •  29-07-2023
  •  | 
  •  

Question

Im not sure if this is the right place to ask.

Im using AES crypto++ to do encryption/decryption of data. Basically its like an encrypted notes.

What i would like to do is have an identifier field. This field will contain the users password encrypted:

User Password: smith
Identifier = AESEncrypt("smith")

This is done the only once because the identifier field is blank. Every time the user enters the password to add notes I can decrypt the identifier field and compare it to the password the user entered.

The reason why is to avoid corrupting the notes because the wrong password was entered.

Is this a good idea? I figure if someone breaks the identifier and gets the password then they already know the password anyways. What are the opinions on my idea?

Was it helpful?

Solution

No, this is not a good idea. If two people have the same password, then they will have the same identifier. This makes cracking passwords much simpler. You also don't make clear what key you encrypt the password with. AESEncrypt() takes two parameters, and the key needs to be indistinguishable from random to be secure.

Passwords must be converted to keys before being used with AES. To convert a password to a key, you use a KDF (key derivation function). The most famous and widely available is PBKDF2. Others include bcrypt and scrypt. From Crypto++, you should use PKCS5_PBKDF2_HMAC.

Actually validating a password is trickier than it sounds. There is no way to ensure with AES that the password is correct. Using PKCS#7 padding (the standard for CBC mode), you can get 99.6% certainty that the password is correct, but you'll still fail occasionally and return gibberish on a bad password rather than an error. (That's not a made-up "number close to 100%;" I exactly mean "a little less than 255/256.") You also can't check that the padding is correct until you decrypt all the data.

There are several better techniques you can use. First, you should be using an HMAC in any case. An HMAC is like an encrypted hash. It ensures that the encrypted note has not been modified. Crypto++ offers one as HMAC. If you decrypt with the wrong password, the HMAC will fail, which you can use to assert that the password is bad. The problem with this approach is that it's slow if the data is very large, and you can't tell the difference between corrupted data and a bad password. (This approach is what RNCryptor currently uses.)

The approach I'm currently investigating is to use HMAC to create a validator. Take some known string, and then HMAC it using your key (generated by PBKDF2). Later, you can validate the HMAC on that small, known string rather than the whole body text. And since you know what the string was supposed to be, you don't have to worry about data corruption. The linked page gives my current thinking on the exact layout.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top