3

I need to encrypt something on a smartphone. The data is relatively small and would be stored encrypted on the phone.

I was thinking AES-GCM with a key generated by a password (chosen by the app's user), but I wonder if there is a risk, with Authenticated encryption, that an attacker could use the MAC as an oracle in order to brute-force the password from which the key is derivated.

What is your opinion about this ? Should I stay away from Authenticated Encryption when using Password-based derivated keys ?

Thank you for your feedback.

NGU
  • 31
  • 2

2 Answers2

2

One of the security properties of a PBKDF is that it should not be reversible. You should not be able to obtain the password, even if you know the key, without exhaustively testing candidate passwords by running them through the KDF until you find matching output.

So, no, I don't think the attack you're considering is in fact a threat. You should use an appropriate PBKDF function with as high a work factor as is reasonable in order to protect the password from dictionary attacks to the extent possible, but the password will not be recoverable from the key, and much less from the MAC itself.

Xander
  • 35,525
  • 27
  • 113
  • 141
2

If you use a good PBKDF (like Argon2) brute-forcing of passwords is slowed down by the first step which is turning the password into the key. So your low-entropy source (the password) is protected by slowing down this process.

In later steps the key should look like it was randomly sampled from a larger space and the attacker will not benefit from knowing that it came from a password.

In short: A PBKDF does things

to produce a derived key, which can then be used as a cryptographic key in subsequent operations.

(from Wikipedia)

Which is exactly what you want.

Elias
  • 1,915
  • 1
  • 9
  • 17