Should I use the same secret key multiple times?
-
05-03-2021 - |
Question
I am developing a Java SE based application (university intranet) for a computer security course that sends a password (AES ecrypted) of a registered user to a server via a HTTP request. It performs the following steps:
- The user registers to the Intranet app.
- The client sends an HTTP request containing the student's password, encrypted with AES.
- The PHP script now decrypts the AES ciphertext and hashes it.
- The hashed password is stored into the database.
Now from what I have read about AES, I would need a secret key as part of the encryption process. As the server script will need the secret key to decrypt the cipher, would it be a bad idea to use the same secret key each time? Once the script receives the ciphertext it will then use a one way hash function to store it on a database.
Solution
If you really want to use a symmetric cypher
Ok I assume you want two entities to communicate by entering the same key on each entity (such as the Bluetooth connection). In that case the question have already been asked and I let you google for some answer like this
What you certainly want is HTTPS
But apparently you just want a secure communication between a client and a server. In that case you need to use HTTPS(since you use HTTP). HTTPS does all that for you with a handshake and then relying on a symmetric key algorithm to ensure the communication.
How it fulfills your requirements
In your very case, if the login page is served in HTTPS:
- the password will be de facto encrypted by the client when it is sent
- it will be automatically decrypted by the server then you have to
- hash it in PHP and store it into the database.
OTHER TIPS
I agree with the other comments - HTTPS is the way to go if possible.
However, to answer your question directly, then yes - using the same secret key (on it's own / without a salt) each time is a very bad idea. If, for some reason, HTTPS is not an option, then consider at least using a salt and/or a one-time-pad, depending on your implementation possibilities:
Salt (cryptography) One-time Pad
This article looks like it might be useful:
Data Encryption Decryption using AES Algorithm, Key and Salt with Java Cryptography Extension
Hope that helps.