4

In my business scenario (basically a cloud file sharing application) I have the following case:

  1. user uploads file(s) to the folder

  2. it's being checked if the folder is PIN protected

  3. 1) If it's not PIN protected, encrypt the file using the predefined pass key stored in the application + IV key stored in the database.

    2) If it's PIN protected, encrypt the file using the predefined pass key + PIN value + IV key stored in the database

The problem is that AES, having limited pass key length gets invalid key length when the max key size (16, 24, 32 bytes) is exceeded. My main question is how to achieve something like that while maintaining the security.

At the moment folder PIN length isn't limited but it seems that I should limit it to at least the max length of the AES key pass. Slight improvement could be using RijndaelManaged where I have a bit more flexibility regarding the pass key length.

Any suggestion would be appreciated.

Note: I don't think code would add any value to the question but if anyone doesn't agree, let me know and I'd add it.

wegelagerer
  • 3,090
  • 8
  • 36
  • 56

2 Answers2

2

Your scenario is not completely clear to me but in general the answer would be to use what ever you have as "secrets" and hash these to always gain the same key length for AES. Let's say you use SHA256 to hash the secret(s), your application could use AES-256 no matter which data you use to produce the key.

Again, the data that produces the key must have enough entropy and must be kept secret. Especially when a password is used, you should use a secure password to key derivation scheme like PKCS#5 and not build something on your own...

fhissen
  • 149
  • 6
  • Thank you for the answer! I'd like to skip hashing of any sort because I don't think it's needed in this case considering that the PIN itself is already hashed (PBKDF2) and that is the first line of defense. The second line of defence are encrypted files, some of which are encrypted using the pass key + PIN. By doing so I don't have to save additional hashes and the only thing I have to do is to decrypt the file using the pass key + PIN provided by the user. The pass key is embedded to the application. Should I consider that as a security risk? – wegelagerer Feb 25 '16 at 11:51
2

A key derivation function will create a key with a controlled length, if the derived key is longer than needed just truncate it.

Additionally the encryption IV is not considered secret and usually just prepended to the encrypted data. Many tines the key derivation salt as well as the iteration count is also prepended to the encrypted data. For good security is is best to use well vetted methods.

zaph
  • 108,117
  • 19
  • 176
  • 215
  • Thank you! Exactly what I wanted to hear - truncation is a safe thing to do! – wegelagerer Feb 25 '16 at 12:54
  • 1
    A series of random bytes which is essentially what a hash or key derivation function produces are all equally random, none are "better" than others. so just select any range of them, truncation is an easy way to do that. – zaph Feb 25 '16 at 12:58