AES：如何检测输入了错误的密码？ [英] AES: how to detect that a bad password has been entered?

问题描述

文本 s 的加密方式为：

s2 = iv + Crypto.Cipher.AES.new(Crypto.Hash.SHA256.new(pwd).digest(), 
                                    Crypto.Cipher.AES.MODE_CFB, 
                                    iv).encrypt(s.encode())

然后，用户输入密码 pwd2 ，并使用以下命令对其解密：

Then, later, a user inputs the password pwd2 and we decrypt it with:

iv, cipher = s2[:Crypto.Cipher.AES.block_size], s2[Crypto.Cipher.AES.block_size:]

s3 = Crypto.Cipher.AES.new(Crypto.Hash.SHA256.new(pwd2).digest(),
                           Crypto.Cipher.AES.MODE_CFB, 
                           iv).decrypt(cipher)

问题：即使输入的密码 pw2 错误，最后一行仍然有效。当然，解密后的文本将是随机字符，但不会触发错误。

Problem: the last line works even if the entered password pw2 is wrong. Of course the decrypted text will be random chars, but no error is triggered.

问题：如何制作 Crypto.Cipher.AES.new（ ...）。如果密码 pw2 不正确，则解密（密码）失败？还是至少如何检测到错误的密码？

Question: how to make Crypto.Cipher.AES.new(...).decrypt(cipher) fail if the password pw2 is incorrect? Or at least how to detect a wrong password?

这是一个链接的问题：如果密码无效，则使AES解密失败
，这里是有关密码部分的讨论（无需编程） ）： AES，这种说您输入的密码错误的方法安全吗？
。

Here is a linked question: Making AES decryption fail if invalid password and here a discussion about the cryptographic part (less programming) of the question: AES, is this method to say "The password you entered is wrong" secure? .

推荐答案

AES提供了机密性，但没有提供现成的完整性-为了获得完整性，您有一些选择。最容易且可以说是最不容易发生的脚踢是使用AES-GCM-请参阅此Python示例或这一个。

AES provides confidentiality but not integrity out of the box - to get integrity too, you have a few options. The easiest and arguably least prone to "shooting yourself in the foot" is to just use AES-GCM - see this Python example or this one.

您也可以使用HMAC，但这通常需要管理两个不同的密钥，并且还有一些移动的部分。我会建议您选择第一个选项。

You could also use an HMAC, but this generally requires managing two distinct keys and has a few more moving parts. I would recommend the first option if it is available to you.

注意，SHA-256不是转换用户创建密码时使用的很好的KDF。加密密钥。流行的密码哈希算法在此方面更胜一筹-看看Argon2，bcrypt或PBKDF2。

A side note, SHA-256 isn't a very good KDF to use when converting a user created password to an encryption key. Popular password hashing algorithms are better at this - have a look at Argon2, bcrypt or PBKDF2.

编辑：SHA-256是A的原因KDF错误的原因与造成错误的密码哈希功能的原因相同-只是太快。用户创建的128位密码通常比随机的128位序列包含更少的熵-人们喜欢选择单词，有意义的序列等。使用SHA-256一次性加密并不能真正缓解此问题。但是，使用诸如设计为慢速的Argon2之类的结构对其进行哈希处理会使暴力攻击的可行性大大降低。

Edit: The reason SHA-256 is a bad KDF is the same reason it makes a bad password hash function - it's just too fast. A user created password of, say, 128 bits will usually contain far less entropy than a random sequence of 128 bits - people like to pick words, meaningful sequences etc. Hashing this once with SHA-256 doesn't really alleviate this issue. But hashing it with a construct like Argon2 that is designed to be slow makes a brute-force attack far less viable.

这篇关于AES：如何检测输入了错误的密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！