0

The web app I am developing should be end-to-end-encrypted, but for slightly better user experience, I do not want the user to enter private keys into the client.

Instead I am planning to store the encrypted private key on the application server. The client then decrypts it with a password provided by the user. Of course to download the encrypted private key, the user has to log into the application. Hopefully with a different password as for encrypting the key. (See below)

One risk would be, that the user uses the same password for login and private key encryption, so that the application would not be end-to-end-encrypted anymore.

How do you think about this? Or are there any security issues I do not see?

(To avoid this risk, should I prehash the login password on client side?)

Thanks in advance.

Hendrik
  • 45
  • 9

1 Answers1

2

Password-protecting a key, either symmetric or asymmetric, is a common practice. See the question Encrypting With Passwords - Encryption of Key vs. Data for an example.

One problem is that users can choose weak passwords. This can either be, as you note, the same password that they use to authenticate to the site, or it can just be a generically weak password. Using client-side authentication password hashing to keep the server from knowing the user's password can help.

The LastPass password manager seems a similar use case to what you are preventing. LastPass uses 5000 rounds of PBKDF2 with SHA-256 on the client to prevent LastPass from knowing your master password. Performance is a problem with this solution as you need to do enough rounds of hashing to prevent a brute-force attack. As client machines tend to be much slower than server machines, this will be painful. This isn't a problem in the LastPass user model because users are willing to be patient for authentication to LP. You'll need to determine if the same is true for your user model.

A second problem with this solution is that recovery of a lost password encryption key is impossible. While this is a security feature, it may turn out to be a problem for your users.

One advantage of such an encryption scheme is that if the user changes their encryption password, you just need to decrypt the key with their original password and re-encrypt it with the new one. No need to decrypt and re-encrypt all of the data.

Neil Smithline
  • 14,842
  • 4
  • 39
  • 55
  • Thank you. The example you provided is very helpful. Can I use bcrypt for hashing the users login password, or would it be better to use PBKDF2 like LastPass? Which method should I use to encrypt the users encryption key? – Hendrik Apr 24 '16 at 09:00