Score:0

Hashed password used for encryption and for user authentication at the same time

dz flag

As I am fairly new to cryptography, I would like to understand how to, in a simple way, implement a system that would achieve the following: the user would have to setup a password, which would then be used to:

1.) encrypt the data provided by the user and save it in an encrypted form and 2.) to authenticate the user when using the system the next time and decrypt his data.

When searching for viable solutions I found the following two approaches:

a.) The password is hashed and the hash is later used to authenticate the user. The combination of the plain text password and its hash is used to generate a key for the encryption and decryption.

b.) The password is hashed and a key is derived from its hash to encrypt the data. The authentication is solved by comparing some know plain text to a part of the decrypted data. If there is a match, the user entered the correct password.

I would be grateful for a simple and clear explanation.

I would be also thankful for any references on this specific topic.

kelalaka avatar
in flag
Where did you see both? They are not good approaches since the user may want to change the passwords. You create a random encryption key per file, and encrypt the key with the key-encryption key generated from password like PBKDFDF2 or better Argon2id. You can see [here in more detail](https://crypto.stackexchange.com/a/75022/18298). When data at rest, the files are protected with random keys and only your password can open it. A good password like from dicewire is recommended.
simbr avatar
dz flag
@kelalaka Can you please explain how to also solve the user authentication part with the same password. Thank you.
kelalaka avatar
in flag
It is just the standard password hashing [How to securely hash passwords?](https://security.stackexchange.com/q/211/86735). You have one password and separate the domains by salt and info.
jjj avatar
cn flag
jjj
Do NOT send everything that is needed for decryption to any server, do decryption locally. Otherwise a compromised server can intercept it and decrypt eveything.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.