How to change the aes-256 key after encryption?

Question

I've a website that users submit their personal data to, and I'm thinking of encrypting these data using AES-256 and their password is used as a key for that encryption and then I store the encrypted data in a MySQL database...

Now if the user changes his/her password, how would I change the key of the encrypted data?

Should I gather all the data from the database, decrypt their data with the old key, and then encrypting it again with a new key?

Answer 1

You don't need to re-encrypt all of the user's data when they change their password.

Generate a secret key to encrypt a user's data; call this the "content encryption key." Derive a key from the user's password; call this the "key encryption key." Encrypt the "content encryption key" using the "key encryption key." Store the encrypted key along with the salt and the number of iterations used for key derivation.

If they change their password, decrypt the content encryption key with the old password, and re-encrypt it with a key derived from the new password. You should choose a new salt for the new password, and make sure you store it along with the new encrypted key.

Because the content encryption key is randomly chosen from a huge space, you can safely use ECB as the cipher mode when encrypting it.

Don't simply hash the password, even if you use salt or even if you use an as-yet-unbroken algorithm. You need to repeat the hashing operation thousands of times. There are libraries for doing this (correctly) on most platforms. Use a key derivation algorithm (PBKDF2, from PKCS #5) to create a secret key from a password.

This concept follows the draft for password-based S/MIME encryption.

Answer 2

First, you generally shouldn't use the password as an AES key. Maybe something like a cryptographic hash (not MD5) of the password + a salt (you would store the salt but not the hash in this case).

One thing you could do is encrypt each user's files with a random key, then encrypt that key with the hashed+salted password. If the user changes passwords, you only have to re-encrypt the key.

Answer 3

One possibility to consider decouples the key used to encrypt the data from the key used to gain access to the data. Done carefully, this allows the user to change their password as often as they desire, while you only change one record in the database. Separately, you can schedule changes to the key(s) encrypting their data when it is convenient for you.

How does it work?

• You encrypt the data D for user U with a randomly generated key, K_U,D.
• You encrypt the key K_U,D with a separate key K1_U,K generated from a random salt, S1_U (which you keep a record of) and the user's password P1_U (which you may or may not keep track of). The encrypted key is E1_U.
• You store S1_U and K1_U,K ready for when the user wants to access their data.
• When user U wants to access their data, they provide you with their password, P1_U, and you look up S1_U and regenerate K1_U,K from that data, and use that to decrypt E1_U, giving you K_U,D once more, with which you decrypt their actual data.
• You ensure you can detect when the password given is correct so you don't spew forth binary gibberish if the users types the wrong password.

The advantage of this level of indirection comes when the user wants to change their password. If you don't use some technique analogous to this, you will have to get and validate the old password and the new password, decrypt all the data with the old password, and re-encrypt it all with the new password.

With the level of indirection, you still prompt the user for their old password (P1_U) and their new password (P2_U) and validate them, but you only have to decrypt E1_U and then re-encrypt it with a new key K2_U,K generated from a new salt S2_U and the new password P2_U. You do not have to touch the encrypted data at all.

With the level of indirection, the system S can also keep a second encrypted copy of the data key K_U,D, encrypted with the system's password. If it becomes necessary or desirable to change the key used for encrypting the data, the system can use its encrypted copy of the key to do so. It can keep a record of which key was last recorded by the user in their key, so when the user returns to look at the data, it can arrange to to change the stored key K2_U,D because at that time, it has their password (the rest of the time, it does not).

This is a mild variation on some of the ideas in "Cryptography in the Database: The Last Line of Defense" by Kevin Kenan. The Kn_U,K keys are examples of a KEK, a Key-Encrypting Key. You could also read about key families in the book, which would help with the management of encrypted data.