decrypt with more than one password

Question

I'm searching for a specific way to encrypt my data. I want to encrypt it with my password and decrypt it with that. Later I want to gain other people access to chosen parts of my data with their passwords.

Is there any other way than to decrypt the data everytime I add a new "reader" and encrypt it all again with a "mix" of all passwords? And than the big question is how to decrypt without knowing the passwords of everyone?

And than I thought of another problem. How to validate that the given/login password is correct? I thought the following might work without saving the actual password or the encryption password:

• Get a password ; "Thats an amazingly bad password"
• Use the hash as encryption and decryption key ; hash(salt + "Thats an amazingly bad password")
• Save the hashed hash as validation for the password ; hash(hash(salt + "Thats an amazingly bad password"))

What do you think about it?

Thanks for help everyone

Answer 1

1. Encrypt the data once with a secure key such as random bytes.

2. For each user encrypt the above key using the user's password (properly extended), save that in a file or DB under the userID and a salted/hashed password for authentication.

3. To access lookup the user's entry verify the supplied password with the salted/hashed password, decrypt the data key with the user's password.

4. Decrypt the data with the data key and return to the user.

5. Side advantage: A user's password can be changed without changing the actual key the data is encrypted with.

For the second part:

Do not hash(hash(salt + "Thats an amazingly bad password")), use a password extension method such as PBKDF2 on the user supplied password for the encryption key. Such methods take a salt and a password and iterate many times to make the operation slow, somewhere around 100ms seems to be a good target.

Hashing a hash does not accomplish anything other than adding a trivial amount of time to the operation.