散列和加密组合:保护安全 [英] Hash and encryption in combination: Preserve security
问题描述
我想使用主密钥或主密码保护我的秘密信息数据库,并对数据进行加密。只有当用户输入正确的主密钥时,数据将被解密。
I would like to protect my database of secret information with a master key or master password and encrypt the data. Only if the user enters the correct master key, the data will be decrypted.
显然,创建主密钥时,我只应将其保存为哈希值(例如SHA)。但是,我还需要一个密钥来加密数据(例如AES)。我想到使用主密钥的哈希值作为加密的关键。
Obviously, when creating the master key, I should only save this as a hash value (e.g. SHA). But then I also need a key to encrypt the data with (e.g. AES). I thought of using the master key's hash value as the key for encryption.
但是可能这不安全吗?
如果用户输入密钥,则计算哈希值并将其与保存的哈希值进行比较。如果它们相同,则应该对数据库进行加密。
If the user enters a key, the hash is calculated and compared to the saved hash value. If they are the same, the database should be enrypted.
但是保存主密钥的哈希值并将其用作加密的关键可能是安全风险,对吗?
But saving the master key's hash value and using it as the key for encryption is probably a security risk, right?
我应该使用主密钥的实际(明文)版本来加密数据吗?
Should I rather use the actual (plaintext) version of the master key to encrypt the data with?
或者只是将哈希值与输入的密码进行比较,而不是仅仅输入密码来加密数据?
Or just leaving out the step with comparing the hash value to the entered password and instead just trying to encrypt the data with the password entered?
我希望你明白我的意思,我试图告诉你我的问题。非常感谢!
I hope you understand what I'm trying to tell you about my problem. Thanks a lot in advance!
推荐答案
总是最好分清职责,只能使用一个加密实体,
It is always best to separate responsibilities clearly and only use one cryptographic entity for one purpose and nothing else.
对于对称加密(例如AES),您需要一个键,这样的密钥通常是从密码派生的(但是它可以从很多其他东西衍生出来,像是收集文件,甚至直接输入)。所以这个实体是密码 - 哪个成为加密密钥。用于此目的。无需将密码存储在任何地方,因为从中获取正确的密钥是您需要的。
For symmetric encryption (e.g. AES), you need a key, and such a key is typically derived from a password (but it can be derived from a lot of other things, like a collection of files, or even just entered directly). So this entity is "password-which-becomes-encryption-key". Use it for that purpose. No need to store the password anywhere, as deriving the correct key from it is all you need.
如果您还要保护使用帐户访问您的应用程序或数据库系统具有认证和授权,您还需要管理这些凭据。这是一个完全无关的活动查看标准解决方案的任何基本的Web应用程序设计指南。
If you additionally want to guard access to your application or database with an account system with authentication and authorisation, you also need to manage those credentials. That's an entirely unrelated activity; look up any basic web application design guide for standard solutions.
只需不要将登录密码重新用作加密密钥。
Just don't reuse a login password as an encryption key.
这篇关于散列和加密组合:保护安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
