Score:1

Crypto

Is it safe to store the hash of a plain text?

Luqus

3/20/23, 5:59 PM

When encrypting data, I want to verify that the correct key was entered without hashing it. Is it safe to decrypt the ciphertext and compare the hash of it with the stored one or can the plaintext (which could be very long) be read from the hash?

237

0 + 0

hash

encryption

kelalaka

3/20/23, 6:10 PM

Welcome to Cryptography.SE Passwords are not hashed with standard collision-resistant hashes like SHA256 or SHA3-512 they are hashed with special password hashing algorithms like PBKDF2, Scrypt, or better Argon2. While there are really good [open-source password manager](https://www.wizcase.com/blog/most-secure-open-source-password-managers/) like Keepass, this question is lack of the basic research of a password manager developer must do; **searcing for what others do**!

kelalaka

3/20/23, 6:13 PM

Also, the passwords are not stored in the hash form in the password manager, they are stored encrypted so that the password manager can decrypt them when needed. hashing is one-way process that destroys the original data. Hashing != encryption. you need to create an encryption key from the user's password so that this key can decrypt the actual key that encrypts the passwords.

kelalaka

3/20/23, 6:31 PM

How do your users enter keys to your program? How do they memorize it? They need to enter a password, usually generated with a good one like dicewire.

Luqus

3/20/23, 7:48 PM

The passwords are stored encrypted. But when I use my cipher function, I can't tell if it's decrypted to the right plaintext. If I call the function with a wrong **master key**, it will still give an output. I am hashing the plaintext so that I can tell if the right key was entered. After that, I'll show the UI with the plaintext, else I would tell the user that he entered the wrong master key.

Luqus

3/21/23, 1:02 PM

I am not trying to replicate the best password manager, I want to find a way for me that has no big security flaws. I am by the way not hashing the password, but the plaintext as stated in my question.

Score:1

Crypto

Maarten Bodewes

3/20/23, 7:19 PM

As others indicated, this would not be a scheme that would conform to best practice. Considering that you are asking this question I would strongly suggest to use your code for practice only.

In principle you can hash data and then encrypt it. As the hash remains confidential until the key is found, this is considered when it comes to protecting the hash and the plaintext message. However, please note that hash-then-encrypt itself may not be secure; we generally prefer methods such as encrypt-then-MAC. Personally I would try and use a Password Based Key Derivation Function and an authenticated mode of encryption such as EAX / encrypt-then-HMAC (also taking care of the IV).

It is also a good idea to store some key check value (e.g. a MAC over some known data) next to it. That way you don't have the problem that you need to try and decrypt all of your database before you can check if your password is correct. Note that an adversary can validate if the master password is correct by simply decrypting a few blocks of data, so this won't give much if any advantage to a would-be attacker, while adding to the user experience.

0 + 0

Luqus

3/20/23, 7:51 PM

I don't try to hash my data and encrypt it then, I am trying to tell if a decryption is correct. That is the only reason I am calculating the hash; to tell if the user entered the right master key.

Luqus

3/20/23, 7:58 PM

I added a graphic to my question that shows, what I would like to achieve.

Maarten Bodewes

3/20/23, 8:31 PM

It's still the scheme that I'm describing. If you don't want to verify the data for integrity then you don't need to hash it in the first place. To be honest, I would like to know if somebody had screwed with the database.

Score:1

Crypto

Meir Maor

3/22/23, 1:21 PM

A long plaintext doesn't mean it can not be guessed. If the hash of the plaintext is available to an attacker such an attacker can efficently verify any guess he may have as to the plain text.

In many real world scenarios we encrypt plain text with limited entropy, the text may be large but still have little information not known to the attacker. And with a simple efficient hash, even trying millions of guesses for the plaintext can be very practical.

There are better ways of authenticating encryption. We can do encrypt then mac, we can use combined methods like GCM. Both are better than a plain text hash.

0 + 0