Store hash of encryption key - compromise encryption?

Just starting out? Need help? Post your questions and find answers here.
rsts
Addict
Addict
Posts: 2736
Joined: Wed Aug 24, 2005 8:39 am
Location: Southwest OH - USA

Store hash of encryption key - compromise encryption?

Post by rsts »

I have a rather large (from several hundred MB to a few GB) aes encrypted user database ( http://www.purebasic.fr/english/viewtop ... 12&t=56070) encrypted with a user specified the encryption key.

Is there a way to store some key verification information which does not compromise the key such that the key may be validated with a pretty high (statistically) degree of likelihood?

I would like to offer a "That key does not appear to be correct" warning rather than just decrypting the entire database and displaying gibberish, yet it's imperative that the security of the key be uncompromised (else why use aes to begin with?). The "That key does not appear to be correct" not being 100% reliable - i.e. I'll accept a very low probability "false positive" because the user can always decide to proceed anyway. This is better than compromising the key.

I've thought about storing the SHA1(or sha2, etc) of the key in the database and using that as a check, but it would appear that may permit a brute-force attack on the SHA that would compromise the aes key. Would storing a sha of the key + some (random?) salt eliminate that and still protect the key?

I want to avoid compromising the aes security in any way, but would like some sort of validation short of decrypting the entire database if possible. If it's not, then they'll have to live with gibberish if they make a mistake.

Incidentally, I've read https://crackstation.net/hashing-security.htm but am still unsure if the password hash compromises the aes key such that it should NOT be stored in the DB in ANY form.
coco2
Enthusiast
Enthusiast
Posts: 368
Joined: Mon Nov 25, 2013 5:38 am
Location: Australia

Re: Store hash of encryption key - compromise encryption?

Post by coco2 »

From what I read that website is referring to a database that is not encrypted, only the records within are encrypted. Why do you need to encrypt the entire database? As long as you dont leak information by padding any variable length records to the same size it should be secure.
rsts
Addict
Addict
Posts: 2736
Joined: Wed Aug 24, 2005 8:39 am
Location: Southwest OH - USA

Re: Store hash of encryption key - compromise encryption?

Post by rsts »

The database is encrypted (aes256) at the users request. They want it encrypted. It is their data.

I'm merely looking for a way to validate the key when they enter it for decrypting the database which does not require decrypting the entire database, but only if storing some hash of the key does not compromise the integrity of the original db encryption - aes256.

If there is no way to store a key validation in some fashion then we'll decrypt to the user entered key regardless and they can determine when they see the data the key was incorrect. I'm merely looking for a way to tell them the key is probably incorrect without decrypting the entire db. But I do not want to compromise the key in any way.

cheers
Inf0Byt3
PureBasic Fanatic
PureBasic Fanatic
Posts: 2236
Joined: Fri Dec 09, 2005 12:15 pm
Location: Elbonia

Re: Store hash of encryption key - compromise encryption?

Post by Inf0Byt3 »

If I had to find a way to check the password without decrypting everything, I'd create a special record in the database, one that contains the following string for example: "THIS IS A DATABASE ENCRYPTION SIGNATURE". When encrypting the fields, encrypt that field too, with the same password. When checking a password to see if we need to decrypt the whole database, first decrypt just that field and see if it matches the initial string. If it does, we can continue decrypting, if not, show the "key does not appear to be correct" message. The advantage of this is that the attacker does not know the password nor has he any information about it (such as its hash).

By the way, instead of "THIS IS A DATABASE ENCRYPTION SIGNATURE" i'd choose some random characters (it wouldn't affect the scheme since the data is known to you).

Also, for the AES encryption, make sure to have a good key derivation function, don't use the hash of a password directly as a key.
None are more hopelessly enslaved than those who falsely believe they are free. (Goethe)
rsts
Addict
Addict
Posts: 2736
Joined: Wed Aug 24, 2005 8:39 am
Location: Southwest OH - USA

Re: Store hash of encryption key - compromise encryption?

Post by rsts »

Thanks Inf0Byt3.

That is one of the methods we considered but we wondered if having a "known" record in the db compromises the key in any way? If not, that's certainly a consideration.

cheers
Inf0Byt3
PureBasic Fanatic
PureBasic Fanatic
Posts: 2236
Joined: Fri Dec 09, 2005 12:15 pm
Location: Elbonia

Re: Store hash of encryption key - compromise encryption?

Post by Inf0Byt3 »

By no means am I an expert in this field, but I think it won't be a problem. For the attacker all the data is the same - encrypted. There are a few things to consider:

1. The attacker doesn't know the data contained in the "decryption test field". If he did, this would let the cipher be susceptible to a known-plaintext attack, although according to Wikipedia, AES is not susceptible to KPAs.

2. The attacker does not know if there is a relation between the key used for encrypting the "decryption test field" and the key used for encrypting the data inside the DB. To make things hard for him, disregard what I said in my earlier post and encrypt that signature with a key different from the key used to encrypt the data. You can have both keys derived from the same password, but use different IVs for the KDF and different number of iterations.

3. Make that signature a bit longer to discourage brute-forcing it. Some 1024 random bytes would suffice (?). Change this signature regularly if possible.

Maybe someone who works with encryption more often could offer some insight whether this would work as intended.
None are more hopelessly enslaved than those who falsely believe they are free. (Goethe)
coco2
Enthusiast
Enthusiast
Posts: 368
Joined: Mon Nov 25, 2013 5:38 am
Location: Australia

Re: Store hash of encryption key - compromise encryption?

Post by coco2 »

Encrypt the symmetric AES key using asymmetric RSA encryption and store that in the database. Then encrypt the entire database using AES. Now you can store the public key in your application to decrypt the AES key stored within the database and even someone who gets the source code cannot figure out the plaintext within the database. When you decrypt the AES key from inside the database and compare it to the password entered by the user can get a 100% confirmation the user has the correct password. You could even discard the private key used to encrypt the key without even saving it to a hard disk but only as long as the data integrity of the encrypted database has been confirmed.
Last edited by coco2 on Tue Jul 01, 2014 1:00 pm, edited 1 time in total.
rsts
Addict
Addict
Posts: 2736
Joined: Wed Aug 24, 2005 8:39 am
Location: Southwest OH - USA

Re: Store hash of encryption key - compromise encryption?

Post by rsts »

That is very similar to a solution I saw in stackexchange and seems to be a workable solution.

One hesitation I have with this is the lack of proven RSA code for PureBasic. All I've been able to locate is a lib and I hate to rely on libs, especially with the version to version changes so frequent in PB.

Another alternative I'm considering is using a sha3 hash of the key+ random salt to a length of 256/512 bytes. This should be sufficiently secure for the key-check portion, such that the hash key check will not be compromising the overall db encryption.

If they need something more secure than this, I probably shouldn't have them as customers ;)

Thanks for the suggestions.
coco2
Enthusiast
Enthusiast
Posts: 368
Joined: Mon Nov 25, 2013 5:38 am
Location: Australia

Re: Store hash of encryption key - compromise encryption?

Post by coco2 »

I have a working RSA code in Purebasic but I've only just finished it so I'm still optimising and securing (we have a lot more knowledge of attacks on RSA these days so it can have extra security measures to block side channel attacks etc). I agree SHA3 +salt would be highly secure.
rsts
Addict
Addict
Posts: 2736
Joined: Wed Aug 24, 2005 8:39 am
Location: Southwest OH - USA

Re: Store hash of encryption key - compromise encryption?

Post by rsts »

coco2 wrote:I have a working RSA code in Purebasic but I've only just finished it so I'm still optimising and securing (we have a lot more knowledge of attacks on RSA these days so it can have extra security measures to block side channel attacks etc).
Great. A verified RSA routine(s) will be a welcome addition to the code library. Thanks.
Post Reply