Re: Hash question ...

"Jeremiah D. Seitz" <jseitz@xxxxxxxxxxxxxxxxx> wrote in message
news:cspju2l9ff2pm70afj123in0j70jlu10p3@xxxxxxxxxx
I want to get some feedback from the group. My current method
of encrypting files is to store the hash of the plaintext in the
header of the file. When a user enters an incorrect passphrase, the
program can tell that the passphrase is correct or not based on that
hash.

It works well enough for smaller files, but I'd hate to wait
minutes just to find that I entered the wrong passphrase. Could I
include the hash of the passphrase in the file header without
compromising the security?

More specifically, if I generate an encryption key with the
MD5 of the passphrase, could I safely store the SHA of the passphrase
in the file? Given the SHA, is it possible to reconstruct the MD5? How
about using CRC32 instead of SHA? That seems to be a good bet, but
that 1 in 4.2 billion collision is bugging me. <g>

Thanks in advance,

Use an HMAC of the header, and also store an HMAC of the entire file (you
could also build an HMAC merkle tree for fast verification, but this would
take more time to explain). So you'll have 3 keys:
K_1 = HASH("Encryption Key" | IV1 | passphrase )
K_2 = HASH("Header MAC Key" | IV2 | passphrase)
K_3 = HASH("Full file MAC Key" | IV3 | passphrase)

IV* are randomly generated values, known length is ok.
Store IV* in the output file in the clear
Then take the first substantial chunk of the plaintext, 1KB will suffice,
call this Header and store HMAC(K_2, Header) in the output file, generate
hmac=HMAC(K_3, entire input file), append hmac to the end of the INPUT file.
Encrypt the input file (with appended hmac) using K_1, store the ciphertext
in the output file.

This generates a knowable format, and if you include designators in the
file, for example creating a file format of
IV1 = 0xsomething
IV2 = 0xsomething2
IV3 = 0xsomething3
HMACHash = SHA-512
HeaderMac = 0xblah

EncryptedLength= a number
EncryptedData =
binary data

It will be easy to parse, and since format doesn't matter, this works quite
well.

For speed on a multicore processor you can actually run the HMAC and
encryption at the same time in two seperate threads, this will place the
speed bottleneck very solidly on the disk. Since AES in CBC mode is close to
100MB/sec, and SHA-512 is close to 100MB/sec and if you synchronize the
threads the memory bandwidth is cut in half, you're looking at probably
being in the 80MB/sec range on this, since a modern hard drive generally has
sustainable write rate of < 80MB/sec this should be disk bound, even when
working between two drives. So the question is now: Can you wait 8 seconds
for that CD and 60 seconds for the DVD?
Joe


.

Relevant Pages

  • Hash question ...
    ... of encrypting files is to store the hash of the plaintext in the ... header of the file. ... When a user enters an incorrect passphrase, ... could I safely store the SHA of the passphrase ...
    (sci.crypt)
  • Re: Basic File Encyption
    ... Most encryption programs will store a header on the ciphertext. ... and just store a portion of the hash output in the header for ...
    (sci.crypt)
  • Re: Is storing MD5 hash of key with ciphertext safe?
    ... Don't use the key as an IV. Generate a random IV and store it. ... Use the passphrase to generate a MAC key ... (separate from the encryption key) ...
    (sci.crypt)
  • Re: On the Recent PGP and Truecrypt Posting
    ... changing the passphrase would lock out prior users. ... Clearly a users with a backup copy of an encrypted disk for which they ... clear that real world users actually understand the need to re-encrypt ... You will also also see the architecture extend to some *very* cool storage encryption very soon. ...
    (Bugtraq)
  • Re: PING > dawzaG
    ... >> happening in the Org header and, would you believe, in the date ... ventilation; avoid extreme temperatures and store in a cool, ... away from open flames, naked flames and old flames; avoid inhaling fumes; ...
    (alt.os.windows-xp)