Using MD5 to generate an encryption key from password?

Question

I'm writing a simple program for file encryption. Mostly as an academic exercise but possibly for future serious use. All of the heavy lifting is done with third-party libraries, but putting the pieces together in a secure manner is still quite a challenge for the non-cryptographer. Basically, I've got just about everything working the way I think it should.

I'm using 128-bit AES for the encryption with a 128-bit key length. I want users to be able to enter in variable-length passwords, so I decided to hash the password with MD5 and then use the hash as the key. I figured this was acceptable--the key is always supposed to be a secret, so there's no reason to worry about collision attacks.

Now that I've implemented this, I ran across a couple articles indicating that this is a bad idea. My question is: why? If a good password is chosen, the cipher is supposed to be strong enough on its own to never reveal the key except via an extraordinary (read: currently infeasible) brute-force effort, right? Should I be using something like PBKDF2 to generate the key or is that just overkill for all but the most extreme cryptographic applications?

Answer 1

The answer to your new question is: you should definitely be using something like PBKDF2 to generate the key.

I assume you are going to have a password (at least 10 chars upper lower numbers and punctuation right?) that will then generate an AES-256 key. The key will be used to encrypt/decrypt the file(s). You want to use something like PBKDF2 in order to decrease the ability for someone who gets your file to figure out your key/password through brute force attacks. Using something like PBKDF2 (and a random salt!) increases the cost of breaking the encryption on the file.

What I really recommend is that you use this as a toy and not to protect something you really care about. If you are not a security expert, you are going to make mistakes, even the experts (and lots of them together) make mistakes: http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html

Answer 2

This article on Key strengthening might help you. Basically you want to make the key stronger (more entropy than in a password) and make its derivation from the password reliably time consuming.

Answer 3

Well, as your post is general, let me state a few general things:

1. MD5, SHA-0, SHA-1 are all broken hashes, and you should not use them for any cryptographic purpose, use SHA-2.

2. You should, generally, use well-known and documented approaches to derriving keys from passwords (you don't mention what language, please say which one you are using).

3. When doing any sort of security programming, the most important thing to do is, before you do anything, strictly document your 'threat model'. This is basically a listing of all the attacks you are trying to prevent, and how you will do it, and also what sort attacks you can't prevent against. It's quite fun to do, and you'll get to learn about all the attacks and other interesting things.