Score:1

Does my asymmetric/symmetric mixed file encryption pseudo code pass sanity check?

sk flag

I realize this depends on my implementation and the implementation of the libraries I use. I am asking about my process assuming that the encryption libraries and my code are not flawed/compromised, the user's password is secure and the machine is not compromised.

The goal here is to protect the confidentiality of the files with a password, and be able to encrypt them without entering a password.

Initial setup:
- Generate an RSA keypair
- Prompt user for password and assume they use a sufficiently secure one
- Encrypt private key in DER format, pkcs=8, scheme = scryptAndAES256-CBC with the user password

For each file:
- Generate a random session key of 32 bytes
- Encrypt session key with initial public key
- Generate a random nonce of 12 bytes
- Write to output file:
  - Encrypted session key
  - Nonce
  - Encrypted file stream with AES GCM using random 32B session key and 12B nonce

When decrypting a file
- Prompt user for their password, decrypt initial private key
- Read the encrypted session key and nonce from the beginning of the file
- Decrypt the session key with the initial private key
- Decrypt the file stream with the session key and nonce

The only other things to note are that I chose GCM for its speed, over CBC for instance. I also am aware of the collision issue with using a random nonce, however I understand that this would be an issue more if I had billions of files using the same session key. And with a 32 byte random key I basically have 44 bytes of space to avoid collision. It is desirable for me to not have to keep track of a nonce.

Are there any issues with this plan or would this be a secure way to protect the privacy of files assuming the pseudo code was properly implemented?

DannyNiu avatar
vu flag
The scheme is typical and I can't see apparent flaw so far. But if it were me, I won't let the task of proving security rob my sleep and hair - I'd use existing established file encryption product such as 7-zip (or RAR if you can spare some bucks), though they don't have public-key encryption.
DannyNiu avatar
vu flag
PGP and GnuGPG are also good, they have GUI derivatives I believe.
fgrieu avatar
ng flag
"Encrypt session key with initial public key" and "decrypt initial private key" are severely under-specified; ton of mistakes can be made there, like using $x\mapsto x^e\bmod n$ for encryption of the session key, or using [RSAES-PKCS1-v1_5](https://pkcs1.grieu.fr/#page=23). To a lesser degree, "Generate an RSA keypair" and parameterization of scrypt also are under-specified even if we only consider security.
Maarten Bodewes avatar
in flag
Also beware that repeating a known key + IV combination for structured data such as an RSA key is dangerous practice and may leak information about the wrapped key (**PS Hi HSM vendors, are you listening?**)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.