Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

9
  • I am deeply grateful for your exhaustive reply. The only thing I still not understand is how I'd share an encrypted data with a different user, since I don't have its KEK for re-encrypting the datum's DEK. Probably I'm missing something, I can't see how to fit asymmetric encryption in your 3rd listed point. Commented Nov 16, 2024 at 23:26
  • 1
    Sorry about that, I remembered in the middle of writing that bullet point that you wanted data sharing via asymmetric crypto rather than just using symmetric for everything, and didn't fix everything up properly. I think it's fixed up now. Just beware: this is still way underspecified compared to the documentation I would create if I were designing this system professionally, nor did I take my own advice and reference existing designs (aside from working from memory of those designs) as I wrote it. For highly sensitive stuff, get somebody who thoroughly knows the topic to carefully review it! Commented Nov 17, 2024 at 19:29
  • I would say that the client-side hashing, in the setup you suggest, should not be done with a predictable salt as this opens the door to more precomputation attacks. The salt used in the first hashing should be unique and unpredictable, but the salts used in subsequent hashes can be predictable. Commented Nov 18, 2024 at 14:09
  • @n-l-i: The salt is not meant to be a secret. It's purpose is to prevent precomputed rainbow attacks. It just needs to be unique (--> usernames are okay). So, whether use use the encoded username as the salt, or some other byte array is equal in terms of security, from my perspective Commented Nov 18, 2024 at 21:12
  • 1
    @n-l-i Where / how do you propose storing or deriving an unpredictable salt that must be available on every client (even ones that have never been used), must be unique to every user, and must be available before authentication (since their use occurs as part of deriving the login credential)? I proposed the username because it's a unique value that the user can themselves reliably supply. You could have the server generate and store client-hash salts but they need to be exposed unauthenticated, so an attacker can get them too. Commented Nov 19, 2024 at 8:11