如何为单个文件实施密码保护? [英] How to implement password protection for individual files?
问题描述
我写了一个桌面应用程序,应该能够加密数据文件,并用密码保护它(即必须输入正确的密码解密)。我想要加密的数据文件是自包含和可移植的,所以认证必须嵌入到文件中(或者我假设)。
I'm writing a little desktop app that should be able to encrypt a data file and protect it with a password (i.e. one must enter the correct password to decrypt). I want the encrypted data file to be self-contained and portable, so the authentication has to be embedded in the file (or so I assume).
我有一个策略看起来可行,似乎基于我知道(这可能只是足够危险),但我不知道它是否实际上是一个好的设计或没有逻辑。所以告诉我:这是疯了吗?有更好/最好的方法吗?
I have a strategy that appears workable and seems logical based on what I know (which is probably just enough to be dangerous), but I have no idea if it's actually a good design or not. So tell me: is this crazy? Is there a better/best way to do it?
- 步骤1:用户输入明文密码。 MyDifficultPassword
- 步骤2:应用程序对用户密码进行哈希运算,并将该值用作加密/解密数据文件的对称密钥。例如MyDifficultPassword - >HashedUserPwdAndKey。
- 步骤3:应用程序对来自步骤2的散列值进行散列,并将新值保存在数据文件头(即数据文件的未加密部分)中,并使用该值验证用户的密码。例如HashedUserPwdAndKey - >HashedValueForAuthentication
基本上,我从常用的方式推断网站密码不使用OpenID,也就是),这是将用户密码的(已盐化)哈希存储在您的数据库中,而不会保存实际的密码。但是,由于我使用散列用户密码对称加密密钥,我不能使用相同的值进行身份验证。所以我再次哈希它,基本上对待它就像另一个密码,并保存在数据文件中的双哈希值。这样,我可以把文件到另一台电脑,并通过简单的输入我的密码解密。
Basically I'm extrapolating from the common way to implement web-site passwords (when you're not using OpenID, that is), which is to store the (salted) hash of the user's password in your DB and never save the actual password. But since I use the hashed user password for the symmetric encryption key, I can't use the same value for authentication. So I hash it again, basically treating it just like another password, and save the doubly-hashed value in the data file. That way, I can take the file to another PC and decrypt it by simply entering my password.
这样的设计是相当安全的,或绝望的幼稚, ?谢谢!
So is this design reasonably secure, or hopelessly naive, or somewhere in between? Thanks!
编辑:澄清和后续问题re:Salt。
我认为盐必须保密才有用,你的答案和链接暗示这不是这样。例如,由erickson链接的此规范(以下)说:
clarification and follow-up question re: Salt.
I thought the salt had to be kept secret to be useful, but your answers and links imply this is not the case. For example, this spec linked by erickson (below) says:
因此,这里定义的基于密码的密钥推导是密码,盐和迭代计数的函数,
Thus, password-based key derivation as defined here is a function of a password, a salt, and an iteration count, where the latter two quantities need not be kept secret.
这意味着我可以将salt值存储在同一个地方/文件中作为哈希键,仍然更安全,如果我使用没有盐在所有当哈希?
Does this mean that I could store the salt value in the same place/file as the hashed key and still be more secure than if I used no salt at all when hashing? How does that work?
多一点上下文:加密文件并不意味着与其他人共享或解密,而是真正的单用户数据。但我想将它部署在计算机上的共享环境中,我不能完全控制(例如在工作中),并能够通过简单地复制文件来迁移/移动数据(所以我可以在家里使用它,在不同的工作站等)。
A little more context: the encrypted file isn't meant to be shared with or decrypted by others, it's really single-user data. But I'd like to deploy it in a shared environment on computers I don't fully control (e.g. at work) and be able to migrate/move the data by simply copying the file (so I can use it at home, on different workstations, etc.).
推荐答案
密钥生成
建议使用 PKCS#5版本中定义的已识别算法(如PBKDF2) 2.0 从密码生成密钥。它类似于您提出的算法,但能够生成用于AES的更长的对称密钥。您应该能够找到一个实现用于不同算法的PBE密钥生成器的开源库。
Key Generation
I would recommend using a recognized algorithm such as PBKDF2 defined in PKCS #5 version 2.0 to generate a key from your password. It's similar to the algorithm you outline, but is capable of generating longer symmetric keys for use with AES. You should be able to find an open-source library that implements PBE key generators for different algorithms.
您还可以考虑使用加密消息语法作为文件的格式。这将需要你的一些研究,但再次有现有的图书馆使用,它打开了与其他软件,如S / MIME启用的邮件客户端之间的交互操作的可能性。
You might also consider using the Cryptographic Message Syntax as a format for your file. This will require some study on your part, but again there are existing libraries to use, and it opens up the possibility of inter-operating more smoothly with other software, like S/MIME-enabled mail clients.
关于您希望存储密码的散列,如果使用PBKDF2生成密钥,您可以使用标准密码哈希算法(大盐,一千次哈希),并获得不同的值。
Regarding your desire to store a hash of the password, if you use PBKDF2 to generate the key, you could use a standard password hashing algorithm (big salt, a thousand rounds of hashing) for that, and get different values.
或者,您可以计算内容上的MAC。密码上的哈希冲突更可能对攻击者有用;对内容的哈希冲突可能是毫无价值的。
Alternatively, you could compute a MAC on the content. A hash collision on a password is more likely to be useful to an attacker; a hash collision on the content is likely to be worthless. But it would serve to let a legitimate recipient know that the wrong password was used for decryption.
Salt 有助于阻止预先计算的字典攻击。
Salt helps to thwart pre-computed dictionary attacks.
假设攻击者有一个可能的密码列表。他可以对每个哈希值进行哈希,并将其与受害者密码的哈希值进行比较,看看它是否匹配。如果列表很大,这可能需要很长时间。他不想花那么多时间在他的下一个目标,所以他记录结果在一个字典,其中一个哈希指向其相应的输入。如果密码列表非常,非常长,他可以使用像彩虹表以节省一些空间。
Suppose an attacker has a list of likely passwords. He can hash each and compare it to the hash of his victim's password, and see if it matches. If the list is large, this could take a long time. He doesn't want spend that much time on his next target, so he records the result in a "dictionary" where a hash points to its corresponding input. If the list of passwords is very, very long, he can use techniques like a Rainbow Table to save some space.
但是,假设他的下一个目标对他们的密码进行了盐化。 即使攻击者知道盐是什么,他的预先计算的表是没有价值的,盐改变了每个密码产生的哈希值。他必须重新哈希他的列表中的所有密码,将目标的盐添加到输入。每个不同的盐需要一个不同的字典,如果使用足够的盐,攻击者将没有空间来为他们存储字典。交易空间节省时间不再是一个选择;攻击者必须回退到对他想要攻击的每个目标的列表中的每个密码哈希。
However, suppose his next target salted their password. Even if the attacker knows what the salt is, his precomputed table is worthless—the salt changes the hash resulting from each password. He has to re-hash all of the passwords in his list, affixing the target's salt to the input. Every different salt requires a different dictionary, and if enough salts are used, the attacker won't have room to store dictionaries for them all. Trading space to save time is no longer an option; the attacker must fall back to hashing each password in his list for each target he wants to attack.
所以,没有必要保持盐秘密。确保攻击者没有对应于该特定盐的预计算字典就足够了。
So, it's not necessary to keep the salt secret. Ensuring that the attacker doesn't have a pre-computed dictionary corresponding to that particular salt is sufficient.
这篇关于如何为单个文件实施密码保护?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
