Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I built a system that allowed users to generate an unlimited number of email add

ID: 647556 • Letter: I

Question

I built a system that allowed users to generate an unlimited number of email addresses.

Instead of storing each one in a db, I created addresses dynamically and made the address an hmac signed message with the shared secret being the bcrypt hashed version of their account password. e.g. 1948417:11eea538fdc926e38ff97689d913d34da152b072@example.com

Security wasn't critical and it worked pretty well, but I'm considering using the same strategy for something a little more delicate.

So, the question is... Is using a hashed password as the shared secret a good idea or bad idea?

Explanation / Answer

The most common password hashing functions are actually designed for exactly this purpose -- deriving a cryptographic key from a (weak) password. That's actually what PBKDF2 stands for: "password-based key derivation function #2" (scrypt and bcrypt don't have it in their name, but are also key derivation functions). It's also used in GPG, and for file and disk encryption, etc. Kerberos does so as a login mechanism - when you send the KDC your username, you get information that lets you authenticate as that user, encrypted with a key derived from the user's password.

Passwords tend to be low-entropy, far below that required of a cryptographic key. PBKDFs mitigate that by having a salt (to prevent dictionary attacks, for instance by having a list of the keys derived from the 10000 most common passwords) and by being as time-consuming as you please, which means that while an attacker doesn't have to try as many possibilities as with a random key, it takes them a long time to try each possible password.

So in general, password-derived keys make fine shared secrets. There are some catches (notably: if an attacker compromises them, they've compromised the shared secret; this is why Kerberos KDCs have to be so secure). But there's nothing generally wrong with the concept

Related Questions

I believe I am having some problems with notation with respect tolocation of tra
Question #4718
I believe I am supposed to use loops in this program but I am not really sure ho
Question #3623395
I believe I calculated the horizontal value, couldn\'t figure out the rest. Opti
Question #2795969
I believe I completed everything else except the forking. Could someone show me
Question #3549830
I believe I did the mean right. I cannot figure out how to caluclate the median.
Question #3418287
I believe I have answered this correctly but wanted to verify my work. Any help
Question #3169329
I believe I have the answers to a) .25 and b) 2450 but I am stuck on c. Thanks C
Question #1169799
I believe I have the correct answer to part a need held with band c A current of
Question #1754468
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I built a simple circuit with two resistors of the same value connected in serie
Next
I buy one of 250 raffle tickets for $10. The sponsors then randomly select 1 gra

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.