Allow the use of stronger key derivation functions

Discussion related to AES Crypt, the file encryption software for Windows, Linux, Mac, and Java.
Post Reply
cschneegans
Posts: 1
Joined: Sat Mar 02, 2019 2:31 am

Allow the use of stronger key derivation functions

Post by cschneegans » Sat Mar 02, 2019 3:15 am

It seems that AES Crypt derives the AES key from a given password quite fast. As far as I can tell, there are only 8192 iterations in the GenerateAESKey1 method:

Code: Select all

private byte[] GenerateAESKey1(byte[] password)
{
    …
    for (int i = 0; i < 8192; i++)
    {
        m_hash.Initialize();
        m_hash.TransformBlock(key, 0, key.Length, key, 0);
        m_hash.TransformFinalBlock(password, 0, password.Length);
        key = m_hash.Hash;
    }

    return key;
}
In many scenarios, it would be far preferable to use a stronger (i.e., computationally more expensive) key derivation function (KDF) such as PBKDF2, with runtimes measured in seconds, to defend against brute-force attacks.

Note that AES Crypt would not need to implement any KDFs itself, keeping code modifications at a minimum. For example, the Microsoft.AspNetCore.Cryptography.KeyDerivation package already provides a tried-and-tested PBKDF2 implementation for .NET projects.


Regards
Christoph

User avatar
paulej
Posts: 524
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: Allow the use of stronger key derivation functions

Post by paulej » Sun Mar 03, 2019 1:33 pm

What AES Crypt does is very similar to PBKDF2, with the substantial difference being that the output of the PRF after 8192 cycles is used as the key rather than XORing those outputs. The use of SHA256 makes it quite strong, so I don't see any reason to change it. We could tweak this sort of thing all day, but speed of key derivation really isn't that important. The biggest weakness is always users with bad passwords. If a user used a password like "cat", tweaking this won't help. Brute force against a strong password is just impossible today.

Post Reply