Encryption using password-derived keys

Anton Stiglic astiglic at okiok.com
Thu Dec 1 22:56:04 EST 2005 

It can be useful to derive a key encryption key from the password, and not
use the key derived from the password to directly encrypt data you want to
protect, when the resulting ciphertext can be found in different places
where your encrypted key won't necessarly also be found.  For example, to
encrypt files, when the encrypted files found themselves on a backup disk,
but the key is stored somewhere else (encrypted with a password based key).

This can prevent someone who has access to the ciphertext from executing a
brute force attack.

If however your ciphertext always travers with your encrypted key, you don't
gain much of an advantage (the weak point is the password-based key which
can be brute forced or dictionary attacked).

I don't recommend just XORing for the protection of the key.  If ever your
Key Derivation Function doesn't really act like a good pseudo-random
function, or if you use the same password and salt to derive the same key to
protect two different keys, you will be screwed. I rather recommend
encrypting with something like AES, and I also recommend to compute a MAC
over the ciphertext to turn it into a strong encryption, and avoid attacks
such as what have been found with the HSM and the way they stored keys
outside the HSM.  For further details on that point, see for example section
4.3 of the following paper (follow the references given there)
http://crypto.cs.mcgill.ca/~stiglic/Papers/tripleDES.pdf

--Anton


-----Original Message-----
From: owner-cryptography at metzdowd.com
[mailto:owner-cryptography at metzdowd.com] On Behalf Of Jack Lloyd
Sent: November 29, 2005 11:09 AM
To: cryptography at metzdowd.com
Subject: Encryption using password-derived keys


The basic scenario I'm looking at is encrypting some data using a
password-derived key (using PBKDF2 with sane salt sizes and iteration
counts). I am not sure if what I'm doing is sound practice or just pointless
overengineering and wanted to get a sanity check.

My inclination is to use the PBKDF2 output as a key encryption key, rather
than
using it to directly key the cipher (with the key used for the cipher itself
being created by a good PRNG). For some reason the idea of using it directly
makes me nervous, but not in a way I can articulate, leading me to suspect
I'm
worried over nothing.

So, assuming using it as a KEK makes sense: At first I thought to use XOR to
combine the two keys, but realized that could lead to related key attacks
(by
just flipping bits in the field containing the encrypted key). That is
probably
not a problem with good algorithms, but, then again, why take the chance; so
I
was thinking instead using NIST's AES-wrap (or perhaps a less weirdly
designed
variant of it that uses HMAC for integrity checking and AES in CBC mode for
confidentiality).

Am I thinking about this far harder than I should?

-Jack

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list