1

I was searching for a way to store the encryption key of AES_ENCRYPT and found a good answer here: Where to store a key for encryption?

However, now I am trying to use "Type in the encryption key when you start up" and to save it in a session cookie (encrypted) but I do not know how to tell the user if his key is correct or not.

How I can test the key provided by the user? In another word, what is the best way to know if the encryption/decryption key is correct?

Community
  • 1
ClearBoth
  • 121
  • 4
  • Where do you think PHP session data is stored? If you don't want the plain text key on the servers storage you're going to need additional encryption, and although suhosin is a very good idea, its session encryption does not quite meet the bill. http://www.phpclasses.org/package/9455-PHP-Store-session-data-with-multiple-session-handlers.html#view_files/files/handlers/67416 – symcbean Jan 22 '16 at 00:10
  • @symcbean I use mysql session based table with a class to handle it. I don't use PHP session in this script. I'll try something similar to the script and back again. – ClearBoth Jan 23 '16 at 07:34

1 Answers1

1

However, now I am trying to use "Type in the encryption key when you start up" and to save it in a session cookie (encrypted) but I do not know how to tell the user if his key is correct or not.

Is there any reason why you are storing this client-side? The cookie will be sent with every request, and encryption here seems wrong because you will need the store the key for this additional encryption somewhere. Anyone grabbing this cookie would effectively have the decryption password indefinitely (the encrypted original password effectively becomes the password). Could it be stored against the session server-side, the password would be less exposed?

Anyway, that was an aside, now moving onto your main question... If you can store passwords server-side, you could use bcrypt and then compare the entered password with the hashed version on password entry.

As another aside, make sure you are using a key stretching algorithm to convert user entered weaker passwords into strong keys via iterative slow hashing. The bit strength of user passwords is usually not sufficient to protect against a brute force attack of encrypted data. Use PBKDF2.

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
  • I already used the php function password_hash for password. I am trying to encrypt the database sensitive data. My idea was to encrypt the encryption key with the user password hash then save it in client-side session as I don't trust the server-side. but as you said the attacker can get the cookie and the decryption key of it this way. I will try with session server-side. However, it is not about the user passwords now I need to test the key provided after they login to the system as the data will be encrypted and not accessible otherwise. – ClearBoth Jan 21 '16 at 10:07