Storing password along with encrypted file

While there's no obvious vulnerability here, a better option is simply to store a static string, rather than the key itself. If an attacker finds a side-channel attack which allows them to discover one block of plaintext, your approach would leak the passphrase and thus break the whole system, whereas the fixed text option would not.


You could do this:

  1. Generate cryptographically secure random 128-byte key

  2. Generate hash of random key

  3. Encrypt the file with the random generated key

  4. Encrypt the random key with the user provided key

  5. Put the following values in the file:

    encrypted random key:random key hash:encrypted file data

When want to decrypt the data, you use the user provided data to decrypt the encrypted random key, then you hash it and compare with the stored hash. If they are the same, you use the now decrypted random key to decrypt the data.


Including a static string sounds as if it could be vulnerable to a known plaintext attack. Instead I'd to the following (but would be pleased to hear if it's a bad idea!);

  1. Hash your plaintext and prepend the hash to it
  2. Encrypt everything with your encryption technique

When you decrypt it, check if the hash at the beginning matches the hash you expect. This makes you able to detect if you got the correct decryption key and as a plus you get integrity checking for free. If you want to speed this up, say you'd like to encrypt large amounts of data where it is not feasible to run a hashing function over the entire payload, reduce the hashed portion to a few megabytes or blocks if it is a block cypher.

If you'd add an unecrypted hash of the key itself to the file, attackers may test keys without having to decrypt the whole file. This would speed up attacks a lot.