Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>You shouldn't use the hash of the password, hashes are designed to be fast so it's (comparatively) easy to do a brute-force attack. Use a <a href="http://en.wikipedia.org/wiki/Key_derivation_function" rel="nofollow noreferrer">key derivation function</a> like <a href="http://en.wikipedia.org/wiki/PBKDF2" rel="nofollow noreferrer">PBKDF2</a>.</p> <p>Don't use a key directly derived from the password as an encryption key. If the user changes the password, you need to reencrypt all data and backups become worthless. Use a randomly generated encryption key that you encrypt with a key encryption key based on the password.</p> <p>I'm not so sure about storing the hash in the keychain instead of just holding it in memory. The last time I looked into this, it was comparetively easy to decrypt the keychain. And every attacker that can read the memory of your running app will most likely be able to snoop on the keychain access or the decrypted data. Just keep it in memory and make sure to wipe the memory if the app suspends into background etc. This holds obviously also true for every piece of decrypted data.</p> <p>[EDIT: @JeffLockhart to clarify the procedure for a master encryption key] you generate a random key to encrypt your data, let's call it key A. You could use <a href="https://developer.apple.com/library/ios/#documentation/Security/Reference/RandomizationReference/Reference/reference.html" rel="nofollow noreferrer">SecRandomCopyBytes</a> to generate key A, see <a href="http://developer.apple.com/library/ios/#samplecode/CryptoExercise/Introduction/Intro.html" rel="nofollow noreferrer">Apple's CryptoExcercise</a> for a usage example. You use key A to encrypt the user data. To save key A, you have to encrypt key A with a second key B. You shouldn't use the password directly as key B, because of fast brute-force or dictionary attacks. So you derive a key from the password with a PBKDF, like in <a href="https://stackoverflow.com/questions/8569555/pbkdf2-using-commoncrypto-on-ios">this</a> stackoverflow answer. You then encrypt key A with key B, e.g. using <a href="https://developer.apple.com/library/ios/#documentation/System/Conceptual/ManPages_iPhoneOS/man3/CCCrypt.3cc.html" rel="nofollow noreferrer">CCCrypt</a>. You save the encrypted key A and the salt used to derive key B it. To decrypt, the user enters the password, you derive key B using the password and the salt. You decrypt key A using the derived key B. Hope that clarifies.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload