Reputation: 13
Is it safe to store an encryption key's MD5 hash?
Here is a scenario:
- a user enters a password
- an AES key is generated with password based key deriviation algorighm (takes a hundred ms or so)
- an MD5 of the generated key is exposed (stored somewhere)
Would exposing MD5 of a generated key degrade its security somehow? If i understand correctly:
in order to hack a password - you would still need to brute force passwords by first generating a key from them with slow PBKDF, applying an MD5 and then checking if it matches?
finding a colliding MD5 string would be useless since the string would not match the encryption key anyway?
Are these assumptions correct and is there any way exposing such a string would impact encryption security?
Upvotes: 1
Views: 1578
Answers (1)
Reputation: 94078
You are describing a so called key check value.
"Are these assumptions correct"
Yes, but although MD5 cannot be inverted you're better off using a more secure hash such as SHA-256 or 512 (which is, maybe surprisingly, faster in most runtimes). If required you can use the N-leftmost bytes of the result.
"is there any way exposing such a string would impact encryption security?"
Well, kind of; it gives an attacker a way to validate with almost 100% certainty that a password / key, once found, is correct. This is also the case if you use the key for authenticated encryption (which is recommended in most circumstances). And in general you don't need to encrypt all that much data for an attacker to verify correctness of the key.
Otherwise no, MD5 is a one-way function after all, and as such should not expose any of the key bits.
Notes:
Of course you would not want to use the key as input to MD5 to encrypt anything afterwards.
If the MD5 function itself leaks side channel data (usually it doesn't) then it could reveal the key to an attacker.
Using a secure hash to create a key check value is probably better than using an encrypt of a block of all zero bytes, which is the default KCV generation method for PKCS#11.
There are many ways of adding security: using HMAC or a KBKDF, using a time-constant compare etc. Generally however hashing is secure. Using HMAC-SHA512 or even HKDF-SHA512 with an application specific input string and a time constant compare would be the diamond standard I suppose.
Upvotes: 1
Related Questions
- MD5 reduce AES reliability?
- Is not a good idea to use hash values directly for encryption?
- Using MD5 and Password hash function when storing in database
- Using an MD5 Hash as a primary key for a DB?
- Is it unsafe to use MD5?
- Security implications of storing the password hash along an encrypted AES key
- Is it safe to hash passwords that protect sensitive data with MD5?
- Using MD5 to generate an encryption key from password?
- Is it safe to store passwords hashed with MD5CryptoServiceProvider in C#?
- Make md5 strong