Encrypting a file from a password using libgcrypt
I am developing a simple software that encrypts aes256-cbc file. I am using GNU / Linux and libgcrypt-1.5.0. The IV is generated randomly using the OpenSSL rand function, and the IV is stored before the cipher text in the output file. I am using PKCS # 7 padding method.
Now I doubt how to proceed:
-
Is it better to use sha256 repeated 50,000 times of the entered password to encrypt the file, or is it better to use the user-supplied password?
-
If I want to check if the password I entered is correct, I have to save it in an encrypted file (obviously encrypted). Is it the right thing to do?
source to share
- Use PBKDF2 to output the key as indiv.
- Use PBKDF2 with a different salt to get the authentication key and add the MAC to your encrypted data (after encryption is more secure than before encryption). Check the MAC address to check if the password is correct or not and that the data has not been changed. If you are unsure of which MAC to choose, use HMAC with SHA-512 (assuming you are using AES-256 as per your question).
Instead of using PBKDF2 twice with different shims, you can use a single PBKDF2 call to generate encryption and authentication keys at the same time, generating a key of the combined size of your encryption key and authentication key at one time.
Note that depending on the add-on to determine if the key was good, this could lead to CBC oracle attacks. For file encryption, such attacks may not be applicable depending on the specific circumstances, but it is sound practice to use the correct MAC to authenticate data anyway, since you also want to prevent bit flip attacks and other malicious changes to your data.
source to share
- None of the options are correct. You need to use the algorithm you created to get the key from the password, for example PBKDF2 . See gcry_kdf_derive Function .
source to share
1.What is better to use sha256 repeated 50,000 times of the entered password to encrypt the file, or is it better to use the user-specified password?
You never use a raw password directly as a key. The key is to be corrected in something that is fierce against brutal forced attacks. Have a look at the String-to-Key (S2K) stuff or the password based key determination function (PBKDF) with a hard memory hash like scrypt.
2.If I want to check if the password I entered is correct, I have to save it in an encrypted file (obviously encrypted). Is it the right thing to do?
Not. You are using an authenticated encryption mode like GCM. Authenticated encryption modes are tailored to the task and provide both confidentiality and authenticity.
The encrypted file will be scanned under the password, otherwise it will not. Don't worry about the reason. Otherwise, you create an oracle that can undo everything from step 1 (which may or may not be applicable here).
source to share