4

I am encrypting files for storage in an untrusted location, using a custom Java program to do that. There is only one user, but there are many files. I am using AES in CBC mode with PKCS5 padding, and the key is created from a single passphrase using PBKDF2.

Question: Would it increase security if I used a different salt for encrypting each file, or would that only make sense if I also used a different passphrase for each file?

The posts I could find deal with a multi-user scenario, where of course you need per-user salts. But I have only 1 user and 1 passphrase, so creating a new key for each file feels wrong to me.

barfuin
  • 143
  • 5

2 Answers2

6

In a scenario such as yours, where there is only one password/passphrase, but it is used as key material for the encryption of multiple CBC encrypted files, you will (as you noted yourself) obviously not make it any harder for an attacker to compute your password, should you use a salt.

However, using a salt would mean that the encryption of each file is independently keyed, which might increase resistance against collisions in the CBC chaining state, should you use the same password for encrypting a very large number of very large files. Since you are using AES-CBC and AES has a 128 bit block size, you would have to encrypt billions of GB sized files to get close to a 0.5 probability there would be just one such collision (in two 128 bit blocks somewhere), but depending on your security requirements, even such a small risk might be unacceptable. An alternative to using salts, would in such case be to use a cipher with a 256 bit block size instead of AES.

A third alternative would be to use random keys for each file, and only encrypt that file specific key using the key you derived from your password. If you put those encrypted keys together in a separate index file, you will get two additional benefits:

  1. Changing the passphrase will become much cheaper, in particular if you have a large number of files or very large files. Changing the passphrase might, or might not, be something that improves your security. Obviously, if an adversary at some point in time gets hold of all of your files and is able to compute the passphrase you were using at that point in time, you gain nothing by later changing the passphrase. The file specific keys (for the files that existed at that point in time) will already be compromised.
  2. However, using random file specific keys, will make it possible for you to put together index files for other users, containing only the keys of the files those users are supposed to get access to.
Henrick Hellström
  • 10,556
  • 1
  • 32
  • 59
0

Your feeling is correct. Using a different password will impact usability, unless you can keep as many passwords as files in your head at the same time. If you can't (I'm assuming the only user is you) you might end up writing them down somewhere, or choosing really easy passwords. The first is bad depending on your threat model, the second is always bad. As an aside, you might want to consider using a passphrase instead of a password.

Using a different salt would increase security because it would force the attacker to repeat the attack with each file. You can safely store the salt in the clear (perhaps as part of the filename). As a bonus, you can later add more users without changing the salt policy.

Community
  • 1
rath
  • 2,598
  • 3
  • 27
  • 40