Should I use the same secret key multiple times?

StackOverflow https://stackoverflow.com/questions/8204702

Question

I am developing a Java SE based application (university intranet) for a computer security course that sends a password (AES ecrypted) of a registered user to a server via a HTTP request. It performs the following steps:

  1. The user registers to the Intranet app.
  2. The client sends an HTTP request containing the student's password, encrypted with AES.
  3. The PHP script now decrypts the AES ciphertext and hashes it.
  4. The hashed password is stored into the database.

Now from what I have read about AES, I would need a secret key as part of the encryption process. As the server script will need the secret key to decrypt the cipher, would it be a bad idea to use the same secret key each time? Once the script receives the ciphertext it will then use a one way hash function to store it on a database.

Was it helpful?

Solution

If you really want to use a symmetric cypher

Ok I assume you want two entities to communicate by entering the same key on each entity (such as the Bluetooth connection). In that case the question have already been asked and I let you google for some answer like this

What you certainly want is HTTPS

But apparently you just want a secure communication between a client and a server. In that case you need to use HTTPS(since you use HTTP). HTTPS does all that for you with a handshake and then relying on a symmetric key algorithm to ensure the communication.

How it fulfills your requirements

In your very case, if the login page is served in HTTPS:

  • the password will be de facto encrypted by the client when it is sent
  • it will be automatically decrypted by the server then you have to
  • hash it in PHP and store it into the database.

OTHER TIPS

I agree with the other comments - HTTPS is the way to go if possible.

However, to answer your question directly, then yes - using the same secret key (on it's own / without a salt) each time is a very bad idea. If, for some reason, HTTPS is not an option, then consider at least using a salt and/or a one-time-pad, depending on your implementation possibilities:

Salt (cryptography) One-time Pad

This article looks like it might be useful:

Data Encryption Decryption using AES Algorithm, Key and Salt with Java Cryptography Extension

Hope that helps.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top