使用密码哈希来加密私钥 [英] Using hash of password to encrypt private key

问题描述

我正在开发一个Web应用程序，需要在其中加密敏感信息.我的计划是使用AES-256，其中私钥通过用户密码的哈希值加密.我需要存储密码的哈希值以进行身份​​验证，但是显然不能与用于加密私钥的密码相同.我当前的想法是使用bcrypt生成一个密钥，该密钥用于加密私钥.对于身份验证，我的想法是简单地使用bcrypt对密码进行哈希处理，然后再次使用bcrypt对该哈希进行哈希处理，然后将该哈希存储在数据库中.由于这是一种方法，因此不应该有任何方法使用存储的哈希来解密私钥吗?执行此操作时是否存在任何明显的安全问题，而我可能会丢失该问题?

I am developing a web application in which I need to encrypt sensitive information. My plan is to use use AES-256 where the private key is encrypted by a hash of the user's password. I need to store the hash of the password for authentication purposes, but it obviously can't be same used to encrypt the private key. My current thought is to use bcrypt to generate a key to be used to encrypt the private key. For authentication, my thought was to simply hash the password using bcrypt and then hash that hash using bcrypt again and then store that hash in the database. Since it is one way, there shouldn't be any way to use the stored hash to decrypt the private key? Are there any obvious security issues with doing this that I may be missing?

我的另一种想法是使用两种不同的加密算法，例如使用bcrypt哈希对私钥进行加密，以及存储SHA-2哈希以进行身份​​验证.

My other thought was to use two different encryption algorithms, such as using a bcrypt hash to encrypt the private key and storing a SHA-2 hash for authentication purposes.

感谢您的帮助.

推荐答案

我建议使用 PBKDF2 在这种情况下.您可以使用两种不同的盐，一种盐将导出对称密钥，另一种盐将导出要存储的密码哈希.盐应包含区分两种不同用例的确定性部分，以及随机部分-参见.此评论:

I'd recommend using PBKDF2 in this situation. You can use two different salts, one that would derive the symmetric key and the other one would derive the password hash to be stored. The salt should contain a deterministic part distinguishing the two different use cases, as well as a random part - cf. this comment:

否则，盐应包含明确显示的数据 区分不同的操作和不同的键 长度，以及至少八个随机部分 个八位位组，此数据应由以下人员检查或重新生成: 接受盐的一方.例如，盐可能含有 一个额外的非随机八位位组，它指定了以下目的 派生密钥.另外，也可以是 指定有关派生的详细信息的结构 密钥，例如加密或身份验证技术以及 从 密码.保留了附加数据的特定格式 到应用程序.

Otherwise, the salt should contain data that explicitly distinguishes between different operations and different key lengths, in addition to a random part that is at least eight octets long, and this data should be checked or regenerated by the party receiving the salt. For instance, the salt could have an additional non-random octet that specifies the purpose of the derived key. Alternatively, it could be the encoding of a structure that specifies detailed information about the derived key, such as the encryption or authentication technique and a sequence number among the different keys derived from the password. The particular format of the additional data is left to the application.

像注释中提到的那样，普通的盐腌SHA-2可能不够用，因为典型密码的熵差.

A plain, salted SHA-2 probably isn't enough because of the poor entropy of typical passwords, as was mentioned in the comments.

这篇关于使用密码哈希来加密私钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！