Reputation: 454
Security of Seeded PRNGs
I wanted to create an application where a login password could be the seed to a pseudo random number generator to recreate an encryption key. This encryption key would then be used to encrypt all data sent to and from the application's database, making user data out of reach of even the host.
Can this use of a PRNG even be cryptographically secure? If so, what PRNG algorithms are best for this application? Is important to enforce a decent length minimum password length? Any other concerns with this setup?
Upvotes: 1
Views: 46
Answers (1)
Reputation: 112865
What you need is a key derivation function such as PBKDF2 (Password Based Key Derivation Function 2) which is designed to do exactly what you need.
You pass the password, a random seed from a CSPRNG and a repetition count. The random seed does not need to be secret and can be saved with the encrypted data. The count should be chosen such that the derivation takes about 100ms.
Upvotes: 4
Related Questions
- Seeding the random number generator in JavaScript
- Seedable JavaScript random number generator
- Secure random numbers in javascript?
- JavaScript pseudo-random sequence generator
- How to get this PRNG to generate numbers within the range?
- Javascript custom prng successive calls produces 0
- PRNG-like seeded hash function
- Seeding a secure random number in java
- Truly random number generator
- Javascript CS-PRNG - 64-bit random