Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can I use PBKDF2 to generate an AES256 key to encrypt and implicitly authenticate?

Tags:

security

cryptography

encryption

I have 2 devices and I want to set up a secure communication channel between them. The only shared secret is a (7- to 20- character ASCII) passphrase. If I use PBKDF2 (from RFC 2898) with a common salt, iterations, and passphrase to generate an AES256-CBC key and IV on both sides, I think I can authenticate the user and provide an encrypted channel all in one step. Is that true, or is there some reason why I've only seen people use PBKDF2 to verify passwords?

My reasoning is that both sides need to know the passphrase to generate the same key and IV. So if device B can decrypt data from device A, they both have demonstrated that they have the same passphrase.

like image 435
indiv Avatar asked Dec 01 '10 00:12

indiv

People also ask

Is AES good for passwords?

You can enable Advanced Encryption Standard (AES) password encryption so that your passwords are more secure in your configuration files and properties files for the server environment.

Where are aes256 keys stored?

1) Store it in another server. Away from the root folder. 2)Some row specific keys are kept in the database, but encrypted with a master key. 3) The master key isn't in the stored in the drive but rather kept on the ram.

What type of encryption does Bitwarden use?

Bitwarden uses AES-CBC 256-bit encryption for your Vault data, and PBKDF2 SHA-256 to derive your encryption key. Bitwarden always encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. Bitwarden servers are only used for storing encrypted data.

What is AES passphrase?

AES-256 Secret Key In order to use a password or passphrase as the key, a hashing algorithm needs to be used to extend the length. The shorter the password or passphrase, the easier it is for an attacker to decrypt the data by guessing passwords, hashing them, and attempting to decrypt the message.

1 Answers

PBKDF2 is a fine way to generate a common key from a shared secret (you should not be generating the IV in such a way though - the IV should be random, and sent alongside the ciphertext).

However, CBC is not an authenticating cipher mode. This is because an attacker can take an encrypted message and make predictable modifications to it, without needing to be able to read the message or know the key. Such attacks have broken real world systems in the past.

You can use an authenticating cipher mode, like Galois Counter Mode (GCM) instead of CBC.

An alternative is Encrypt-Then-MAC. Use PBKDF2 with two different salts to generate two different keys - first the data is encrypted using CBC with the first key, and then a HMAC is calculated over the ciphertext using the second key.

You will also need to use single-use-nonces to prevent replay attacks.

like image 158
caf Avatar answered Sep 24 '22 14:09

caf
Sign in to Comment

Related questions

Prevent Cross-site request forgery - Never Rely on The SessionID Sent to Your Server in The Cookie Header
PHP: What's the best way to check equality of $_SERVER['HTTP_REFERER']?
File URI link to local folder in IE7 not working
Create x509 certificate with openssl/makecert tool
Why PHP function `curl_exec ` should be disabled?
style considered harmful?
Can I use dynamically created form fields with the Security Component in CakePHP 1.3?
Granting remote user (non admin) the ability to enumerate services in Win32_Service in namespace cimv2 using WMI & C#
How to programmatically access the iPhone trusted certificate store?
Browser window popups - risks and special features
Security Web programming API in Python [closed]
Is it safe to store only userId using SetAuthCookie() in ASP.NET

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!