Score:1

Is it safe to store the hash of a plain text?

us flag

When encrypting data, I want to verify that the correct key was entered without hashing it. Is it safe to decrypt the ciphertext and compare the hash of it with the stored one or can the plaintext (which could be very long) be read from the hash?

kelalaka avatar
in flag
Welcome to Cryptography.SE Passwords are not hashed with standard collision-resistant hashes like SHA256 or SHA3-512 they are hashed with special password hashing algorithms like PBKDF2, Scrypt, or better Argon2. While there are really good [open-source password manager](https://www.wizcase.com/blog/most-secure-open-source-password-managers/) like Keepass, this question is lack of the basic research of a password manager developer must do; **searcing for what others do**!
kelalaka avatar
in flag
Also, the passwords are not stored in the hash form in the password manager, they are stored encrypted so that the password manager can decrypt them when needed. hashing is one-way process that destroys the original data. Hashing != encryption. you need to create an encryption key from the user's password so that this key can decrypt the actual key that encrypts the passwords.
kelalaka avatar
in flag
How do your users enter keys to your program? How do they memorize it? They need to enter a password, usually generated with a good one like dicewire.
Luqus avatar
us flag
The passwords are stored encrypted. But when I use my cipher function, I can't tell if it's decrypted to the right plaintext. If I call the function with a wrong **master key**, it will still give an output. I am hashing the plaintext so that I can tell if the right key was entered. After that, I'll show the UI with the plaintext, else I would tell the user that he entered the wrong master key.
Luqus avatar
us flag
I am not trying to replicate the best password manager, I want to find a way for me that has no big security flaws. I am by the way not hashing the password, but the plaintext as stated in my question.
Score:1
in flag

As others indicated, this would not be a scheme that would conform to best practice. Considering that you are asking this question I would strongly suggest to use your code for practice only.

In principle you can hash data and then encrypt it. As the hash remains confidential until the key is found, this is considered when it comes to protecting the hash and the plaintext message. However, please note that hash-then-encrypt itself may not be secure; we generally prefer methods such as encrypt-then-MAC. Personally I would try and use a Password Based Key Derivation Function and an authenticated mode of encryption such as EAX / encrypt-then-HMAC (also taking care of the IV).

It is also a good idea to store some key check value (e.g. a MAC over some known data) next to it. That way you don't have the problem that you need to try and decrypt all of your database before you can check if your password is correct. Note that an adversary can validate if the master password is correct by simply decrypting a few blocks of data, so this won't give much if any advantage to a would-be attacker, while adding to the user experience.

Luqus avatar
us flag
I don't try to hash my data and encrypt it then, I am trying to tell if a decryption is correct. That is the only reason I am calculating the hash; to tell if the user entered the right master key.
Luqus avatar
us flag
I added a graphic to my question that shows, what I would like to achieve.
Maarten Bodewes avatar
in flag
It's still the scheme that I'm describing. If you don't want to verify the data for integrity then you don't need to hash it in the first place. To be honest, I would like to know if somebody had screwed with the database.
Score:1
in flag

A long plaintext doesn't mean it can not be guessed. If the hash of the plaintext is available to an attacker such an attacker can efficently verify any guess he may have as to the plain text.

In many real world scenarios we encrypt plain text with limited entropy, the text may be large but still have little information not known to the attacker. And with a simple efficient hash, even trying millions of guesses for the plaintext can be very practical.

There are better ways of authenticating encryption. We can do encrypt then mac, we can use combined methods like GCM. Both are better than a plain text hash.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.