AES: Why is it a good practice to use only the first 16bytes of a hash for encryption?How can one securely generate an asymmetric key pair from a short passphrase?Key derivation functions (KDF): What are? Main purposes? How can they be used?Cryptography Implementation in softwareHashing - Digital Signing and Trivial StretchingReason for replacing mifare classicFast Forward Hash SignaturesApplication level encryption and key renewalPassword derived hash to encrypt known plaintext as password checkSecurity of non-standard use for AES-256-CTR?Basic encrypted custom protocolcipherText = aes-ctr(key, iv+1, (plainText)); & authTag= aes-ctr(key, iv, aes-ecb(key, sha-1(cipherText+authData+key+iv))); is it secure?What should I use for consequent AES key derivation?

Why is the ratio of two extensive quantities always intensive?

Does a druid starting with a bow start with no arrows?

Anagram holiday

What's the point of deactivating Num Lock on login screens?

What is the word for reserving something for yourself before others do?

Brothers & sisters

How could indestructible materials be used in power generation?

Twin primes whose sum is a cube

Emailing HOD to enhance faculty application

Is "remove commented out code" correct English?

Neighboring nodes in the network

Should I tell management that I intend to leave due to bad software development practices?

Diode datasheet reading

Did Shadowfax go to Valinor?

Find the age of the oldest file in one line or return zero

Stopping power of mountain vs road bike

intersection of two sorted vectors in C++

Could gravitational lensing be used to protect a spaceship from a laser?

What exploit are these user agents trying to use?

What is the intuition behind short exact sequences of groups; in particular, what is the intuition behind group extensions?

Why are electrically insulating heatsinks so rare? Is it just cost?

How can I prevent hyper evolved versions of regular creatures from wiping out their cousins?

Can a rocket refuel on Mars from water?

Assassin's bullet with mercury



AES: Why is it a good practice to use only the first 16bytes of a hash for encryption?


How can one securely generate an asymmetric key pair from a short passphrase?Key derivation functions (KDF): What are? Main purposes? How can they be used?Cryptography Implementation in softwareHashing - Digital Signing and Trivial StretchingReason for replacing mifare classicFast Forward Hash SignaturesApplication level encryption and key renewalPassword derived hash to encrypt known plaintext as password checkSecurity of non-standard use for AES-256-CTR?Basic encrypted custom protocolcipherText = aes-ctr(key, iv+1, (plainText)); & authTag= aes-ctr(key, iv, aes-ecb(key, sha-1(cipherText+authData+key+iv))); is it secure?What should I use for consequent AES key derivation?













2












$begingroup$


I'd like to encrypt Text with AES/CTR and a password defined by the user in java. I already checked the internet (and stackoverflow) for answers. The most used version is to hash the user pw with sha1 and take only the first 16bytes.



But I don't think this can be a good pratice.



  1. sha1 is weak

  2. taking only the first 16bytes makes the hash also weak
    and rise the chance for a collision (even with sha-256)

Is this really the best practice? Why? How can I do things better?



Some links to the articles I mentioned:



  • https://stackoverflow.com/questions/3451670/java-aes-and-using-my-own-key

  • https://howtodoinjava.com/security/java-aes-encryption-example/

  • https://blog.axxg.de/java-aes-verschluesselung-mit-beispiel/





encryption hash aes symmetric







share|improve this question









New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$











  • $begingroup$
    I added the links
    $endgroup$
    – firendlyQuestion
    2 hours ago










  • $begingroup$
    They are not good sources. Anyway I will call this question as dupe of this and this
    $endgroup$
    – kelalaka
    2 hours ago















2












$begingroup$


I'd like to encrypt Text with AES/CTR and a password defined by the user in java. I already checked the internet (and stackoverflow) for answers. The most used version is to hash the user pw with sha1 and take only the first 16bytes.



But I don't think this can be a good pratice.



  1. sha1 is weak

  2. taking only the first 16bytes makes the hash also weak
    and rise the chance for a collision (even with sha-256)

Is this really the best practice? Why? How can I do things better?



Some links to the articles I mentioned:



  • https://stackoverflow.com/questions/3451670/java-aes-and-using-my-own-key

  • https://howtodoinjava.com/security/java-aes-encryption-example/

  • https://blog.axxg.de/java-aes-verschluesselung-mit-beispiel/





encryption hash aes symmetric







share|improve this question









New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$











  • $begingroup$
    I added the links
    $endgroup$
    – firendlyQuestion
    2 hours ago










  • $begingroup$
    They are not good sources. Anyway I will call this question as dupe of this and this
    $endgroup$
    – kelalaka
    2 hours ago













2












2








2





$begingroup$


I'd like to encrypt Text with AES/CTR and a password defined by the user in java. I already checked the internet (and stackoverflow) for answers. The most used version is to hash the user pw with sha1 and take only the first 16bytes.



But I don't think this can be a good pratice.



  1. sha1 is weak

  2. taking only the first 16bytes makes the hash also weak
    and rise the chance for a collision (even with sha-256)

Is this really the best practice? Why? How can I do things better?



Some links to the articles I mentioned:



  • https://stackoverflow.com/questions/3451670/java-aes-and-using-my-own-key

  • https://howtodoinjava.com/security/java-aes-encryption-example/

  • https://blog.axxg.de/java-aes-verschluesselung-mit-beispiel/





encryption hash aes symmetric







share|improve this question









New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$




I'd like to encrypt Text with AES/CTR and a password defined by the user in java. I already checked the internet (and stackoverflow) for answers. The most used version is to hash the user pw with sha1 and take only the first 16bytes.



But I don't think this can be a good pratice.



  1. sha1 is weak

  2. taking only the first 16bytes makes the hash also weak
    and rise the chance for a collision (even with sha-256)

Is this really the best practice? Why? How can I do things better?



Some links to the articles I mentioned:



  • https://stackoverflow.com/questions/3451670/java-aes-and-using-my-own-key

  • https://howtodoinjava.com/security/java-aes-encryption-example/

  • https://blog.axxg.de/java-aes-verschluesselung-mit-beispiel/





encryption hash aes symmetric




encryption hash aes symmetric






share|improve this question









New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 2 hours ago







firendlyQuestion













New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 2 hours ago









firendlyQuestionfirendlyQuestion

112




112




New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











  • $begingroup$
    I added the links
    $endgroup$
    – firendlyQuestion
    2 hours ago










  • $begingroup$
    They are not good sources. Anyway I will call this question as dupe of this and this
    $endgroup$
    – kelalaka
    2 hours ago
















  • $begingroup$
    I added the links
    $endgroup$
    – firendlyQuestion
    2 hours ago










  • $begingroup$
    They are not good sources. Anyway I will call this question as dupe of this and this
    $endgroup$
    – kelalaka
    2 hours ago















$begingroup$
I added the links
$endgroup$
– firendlyQuestion
2 hours ago




$begingroup$
I added the links
$endgroup$
– firendlyQuestion
2 hours ago












$begingroup$
They are not good sources. Anyway I will call this question as dupe of this and this
$endgroup$
– kelalaka
2 hours ago




$begingroup$
They are not good sources. Anyway I will call this question as dupe of this and this
$endgroup$
– kelalaka
2 hours ago










1 Answer
1






active

oldest

votes


















3












$begingroup$


Why is it a good practice to use only the first 16 bytes of a hash for encryption?




As you noted, it isn't.



But, the problem is not with the "16 bytes" part of the statement, or the concern for collisions. The problem is with the "hash" part.



16 bytes



As stated in one of the links you shared, AES only uses key sizes of 128, 192, and 256 bits (or 16, 24, and 32 bytes, respectively). So the key must be one of these sizes, because AES simply does not support other key sizes.



Trying to use a larger key could have a variety of possible outcomes depending on what the implementation chooses to do. It might raise an exception, or continue silently while only using the first N bits of the supplied key.



Hashing a password to use as an encryption key



Using a hash function such as MD5, SHA1, SHA2, SHA3, blake2, etc, would all be bad practice. The first two are obvious: MD5 and SHA1 are known to be weak in general.



But even using a strong cryptographic hash like SHA3 or blake2 would also be bad, because they were not designed to solve the problem of deriving a key from a password. Use of a cryptographic hash function is involved in this process, but it is not the entirety of it.



Good practice would be to use a dedicated key derivation function such as Argon2 that was designed to solve this problem.



Why/How



A normal hash function is designed to be fast and require little space.



A hash function designed for use on passwords is quite the opposite: it is a slow function that requires lots of memory access, in an attempt to try and optimize the function towards what a consumer CPU is good at, and minimize the potential for optimization with special hardware. Specialized hardware is usable by an attacker, but a legitimate user is limited to a commodity CPU; The goal is to try and use a function that cannot take advantage of special hardware to the extent possible.



Details about the hows and whys of password hashing are listed in this paper and quoted below (with minor modifications, e.g. removing citations and modified formatting):




Cryptographic Security: The scheme should be cryptographically secure and as such possess the following properties:



  • 1) Preimage resistance

  • 2) Second preimage resistance

  • 3) collision resistance.

In addition it should avoid other cryptographic weaknesses such as those present in (some)Merkle-Damgård constructions(e.g. length extension attacks, partial message collisions, etc)



Defense against lookup table /TMTOAttacks:



  • The scheme should aim to make TMTO attacks that allow for precomputed lookup table generation, such as Rainbow Tables, infeasible

Defense against CPU-optimized 'crackers':



  • The scheme should be ‘CPU-hard’, that is, it should require significant amounts of CPU processing in a manner that cannot be optimized away through either software or hardware. As such, cracking-optimized (multi-core) CPU software implementations (eg. written in assembly, testing multiple input sets in parallel) should offer only minimal speed-up improvements compared to those intended for validation (“slower for attackers, faster for defenders”).

Defense against hardware-optimized 'crackers':



  • The scheme should be 'memory-hard', that is, it should significant amounts of RAM capacity in a manner that cannot be optimized away through eg. TMTO attacks. As such cracking-optimized ASIC, FPGA and GPU implementations should offer only minimal speed up improvements (eg. in terms of time-area product) compared to those intended for validation. As noted by Aumasson one of the main scheme design challenges is ensuring minimized efficiency on GPUs, FPGAs and ASICs (in order to minimize benefits of cracking-optimized implementations) and maximized efficiency on general-purpose CPUs (in order to maintain regular use efficiency).

Defense against side-channel attacks:



  • Depending on the use-case (eg. for key derivation or authentication to a device seeking to protect against modification by the device owner) side-channel attacks might be a relevant avenue of attack. Password hashing schemes should aim to offer side-channel resilience. With regards to password hashing scheme security we will focus on security versus the cache-timing type of side-channel attacks given the existence of such attacks against the commonly used scrypt scheme. The second category of side-channel attacks we will take into consideration are so-called Garbage Collector Attacks (GCAs). GCAs have been discussed in literature as an instance of a 'memory leak' attack relevant to password hashing scheme security. GCAs consist of a scenario where an attacker has access to a target machine's internal memory either after termination of the hashing scheme or at some point where the password itself is still present in memory (the so-called WeakGCA variant)...






share|improve this answer











$endgroup$













    Your Answer





    StackExchange.ifUsing("editor", function ()
    return StackExchange.using("mathjaxEditing", function ()
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
    );
    );
    , "mathjax-editing");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "281"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    firendlyQuestion is a new contributor. Be nice, and check out our Code of Conduct.









    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68545%2faes-why-is-it-a-good-practice-to-use-only-the-first-16bytes-of-a-hash-for-encry%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    3












    $begingroup$


    Why is it a good practice to use only the first 16 bytes of a hash for encryption?




    As you noted, it isn't.



    But, the problem is not with the "16 bytes" part of the statement, or the concern for collisions. The problem is with the "hash" part.



    16 bytes



    As stated in one of the links you shared, AES only uses key sizes of 128, 192, and 256 bits (or 16, 24, and 32 bytes, respectively). So the key must be one of these sizes, because AES simply does not support other key sizes.



    Trying to use a larger key could have a variety of possible outcomes depending on what the implementation chooses to do. It might raise an exception, or continue silently while only using the first N bits of the supplied key.



    Hashing a password to use as an encryption key



    Using a hash function such as MD5, SHA1, SHA2, SHA3, blake2, etc, would all be bad practice. The first two are obvious: MD5 and SHA1 are known to be weak in general.



    But even using a strong cryptographic hash like SHA3 or blake2 would also be bad, because they were not designed to solve the problem of deriving a key from a password. Use of a cryptographic hash function is involved in this process, but it is not the entirety of it.



    Good practice would be to use a dedicated key derivation function such as Argon2 that was designed to solve this problem.



    Why/How



    A normal hash function is designed to be fast and require little space.



    A hash function designed for use on passwords is quite the opposite: it is a slow function that requires lots of memory access, in an attempt to try and optimize the function towards what a consumer CPU is good at, and minimize the potential for optimization with special hardware. Specialized hardware is usable by an attacker, but a legitimate user is limited to a commodity CPU; The goal is to try and use a function that cannot take advantage of special hardware to the extent possible.



    Details about the hows and whys of password hashing are listed in this paper and quoted below (with minor modifications, e.g. removing citations and modified formatting):




    Cryptographic Security: The scheme should be cryptographically secure and as such possess the following properties:



    • 1) Preimage resistance

    • 2) Second preimage resistance

    • 3) collision resistance.

    In addition it should avoid other cryptographic weaknesses such as those present in (some)Merkle-Damgård constructions(e.g. length extension attacks, partial message collisions, etc)



    Defense against lookup table /TMTOAttacks:



    • The scheme should aim to make TMTO attacks that allow for precomputed lookup table generation, such as Rainbow Tables, infeasible

    Defense against CPU-optimized 'crackers':



    • The scheme should be ‘CPU-hard’, that is, it should require significant amounts of CPU processing in a manner that cannot be optimized away through either software or hardware. As such, cracking-optimized (multi-core) CPU software implementations (eg. written in assembly, testing multiple input sets in parallel) should offer only minimal speed-up improvements compared to those intended for validation (“slower for attackers, faster for defenders”).

    Defense against hardware-optimized 'crackers':



    • The scheme should be 'memory-hard', that is, it should significant amounts of RAM capacity in a manner that cannot be optimized away through eg. TMTO attacks. As such cracking-optimized ASIC, FPGA and GPU implementations should offer only minimal speed up improvements (eg. in terms of time-area product) compared to those intended for validation. As noted by Aumasson one of the main scheme design challenges is ensuring minimized efficiency on GPUs, FPGAs and ASICs (in order to minimize benefits of cracking-optimized implementations) and maximized efficiency on general-purpose CPUs (in order to maintain regular use efficiency).

    Defense against side-channel attacks:



    • Depending on the use-case (eg. for key derivation or authentication to a device seeking to protect against modification by the device owner) side-channel attacks might be a relevant avenue of attack. Password hashing schemes should aim to offer side-channel resilience. With regards to password hashing scheme security we will focus on security versus the cache-timing type of side-channel attacks given the existence of such attacks against the commonly used scrypt scheme. The second category of side-channel attacks we will take into consideration are so-called Garbage Collector Attacks (GCAs). GCAs have been discussed in literature as an instance of a 'memory leak' attack relevant to password hashing scheme security. GCAs consist of a scenario where an attacker has access to a target machine's internal memory either after termination of the hashing scheme or at some point where the password itself is still present in memory (the so-called WeakGCA variant)...






    share|improve this answer











    $endgroup$

















      3












      $begingroup$


      Why is it a good practice to use only the first 16 bytes of a hash for encryption?




      As you noted, it isn't.



      But, the problem is not with the "16 bytes" part of the statement, or the concern for collisions. The problem is with the "hash" part.



      16 bytes



      As stated in one of the links you shared, AES only uses key sizes of 128, 192, and 256 bits (or 16, 24, and 32 bytes, respectively). So the key must be one of these sizes, because AES simply does not support other key sizes.



      Trying to use a larger key could have a variety of possible outcomes depending on what the implementation chooses to do. It might raise an exception, or continue silently while only using the first N bits of the supplied key.



      Hashing a password to use as an encryption key



      Using a hash function such as MD5, SHA1, SHA2, SHA3, blake2, etc, would all be bad practice. The first two are obvious: MD5 and SHA1 are known to be weak in general.



      But even using a strong cryptographic hash like SHA3 or blake2 would also be bad, because they were not designed to solve the problem of deriving a key from a password. Use of a cryptographic hash function is involved in this process, but it is not the entirety of it.



      Good practice would be to use a dedicated key derivation function such as Argon2 that was designed to solve this problem.



      Why/How



      A normal hash function is designed to be fast and require little space.



      A hash function designed for use on passwords is quite the opposite: it is a slow function that requires lots of memory access, in an attempt to try and optimize the function towards what a consumer CPU is good at, and minimize the potential for optimization with special hardware. Specialized hardware is usable by an attacker, but a legitimate user is limited to a commodity CPU; The goal is to try and use a function that cannot take advantage of special hardware to the extent possible.



      Details about the hows and whys of password hashing are listed in this paper and quoted below (with minor modifications, e.g. removing citations and modified formatting):




      Cryptographic Security: The scheme should be cryptographically secure and as such possess the following properties:



      • 1) Preimage resistance

      • 2) Second preimage resistance

      • 3) collision resistance.

      In addition it should avoid other cryptographic weaknesses such as those present in (some)Merkle-Damgård constructions(e.g. length extension attacks, partial message collisions, etc)



      Defense against lookup table /TMTOAttacks:



      • The scheme should aim to make TMTO attacks that allow for precomputed lookup table generation, such as Rainbow Tables, infeasible

      Defense against CPU-optimized 'crackers':



      • The scheme should be ‘CPU-hard’, that is, it should require significant amounts of CPU processing in a manner that cannot be optimized away through either software or hardware. As such, cracking-optimized (multi-core) CPU software implementations (eg. written in assembly, testing multiple input sets in parallel) should offer only minimal speed-up improvements compared to those intended for validation (“slower for attackers, faster for defenders”).

      Defense against hardware-optimized 'crackers':



      • The scheme should be 'memory-hard', that is, it should significant amounts of RAM capacity in a manner that cannot be optimized away through eg. TMTO attacks. As such cracking-optimized ASIC, FPGA and GPU implementations should offer only minimal speed up improvements (eg. in terms of time-area product) compared to those intended for validation. As noted by Aumasson one of the main scheme design challenges is ensuring minimized efficiency on GPUs, FPGAs and ASICs (in order to minimize benefits of cracking-optimized implementations) and maximized efficiency on general-purpose CPUs (in order to maintain regular use efficiency).

      Defense against side-channel attacks:



      • Depending on the use-case (eg. for key derivation or authentication to a device seeking to protect against modification by the device owner) side-channel attacks might be a relevant avenue of attack. Password hashing schemes should aim to offer side-channel resilience. With regards to password hashing scheme security we will focus on security versus the cache-timing type of side-channel attacks given the existence of such attacks against the commonly used scrypt scheme. The second category of side-channel attacks we will take into consideration are so-called Garbage Collector Attacks (GCAs). GCAs have been discussed in literature as an instance of a 'memory leak' attack relevant to password hashing scheme security. GCAs consist of a scenario where an attacker has access to a target machine's internal memory either after termination of the hashing scheme or at some point where the password itself is still present in memory (the so-called WeakGCA variant)...






      share|improve this answer











      $endgroup$















        3












        3








        3





        $begingroup$


        Why is it a good practice to use only the first 16 bytes of a hash for encryption?




        As you noted, it isn't.



        But, the problem is not with the "16 bytes" part of the statement, or the concern for collisions. The problem is with the "hash" part.



        16 bytes



        As stated in one of the links you shared, AES only uses key sizes of 128, 192, and 256 bits (or 16, 24, and 32 bytes, respectively). So the key must be one of these sizes, because AES simply does not support other key sizes.



        Trying to use a larger key could have a variety of possible outcomes depending on what the implementation chooses to do. It might raise an exception, or continue silently while only using the first N bits of the supplied key.



        Hashing a password to use as an encryption key



        Using a hash function such as MD5, SHA1, SHA2, SHA3, blake2, etc, would all be bad practice. The first two are obvious: MD5 and SHA1 are known to be weak in general.



        But even using a strong cryptographic hash like SHA3 or blake2 would also be bad, because they were not designed to solve the problem of deriving a key from a password. Use of a cryptographic hash function is involved in this process, but it is not the entirety of it.



        Good practice would be to use a dedicated key derivation function such as Argon2 that was designed to solve this problem.



        Why/How



        A normal hash function is designed to be fast and require little space.



        A hash function designed for use on passwords is quite the opposite: it is a slow function that requires lots of memory access, in an attempt to try and optimize the function towards what a consumer CPU is good at, and minimize the potential for optimization with special hardware. Specialized hardware is usable by an attacker, but a legitimate user is limited to a commodity CPU; The goal is to try and use a function that cannot take advantage of special hardware to the extent possible.



        Details about the hows and whys of password hashing are listed in this paper and quoted below (with minor modifications, e.g. removing citations and modified formatting):




        Cryptographic Security: The scheme should be cryptographically secure and as such possess the following properties:



        • 1) Preimage resistance

        • 2) Second preimage resistance

        • 3) collision resistance.

        In addition it should avoid other cryptographic weaknesses such as those present in (some)Merkle-Damgård constructions(e.g. length extension attacks, partial message collisions, etc)



        Defense against lookup table /TMTOAttacks:



        • The scheme should aim to make TMTO attacks that allow for precomputed lookup table generation, such as Rainbow Tables, infeasible

        Defense against CPU-optimized 'crackers':



        • The scheme should be ‘CPU-hard’, that is, it should require significant amounts of CPU processing in a manner that cannot be optimized away through either software or hardware. As such, cracking-optimized (multi-core) CPU software implementations (eg. written in assembly, testing multiple input sets in parallel) should offer only minimal speed-up improvements compared to those intended for validation (“slower for attackers, faster for defenders”).

        Defense against hardware-optimized 'crackers':



        • The scheme should be 'memory-hard', that is, it should significant amounts of RAM capacity in a manner that cannot be optimized away through eg. TMTO attacks. As such cracking-optimized ASIC, FPGA and GPU implementations should offer only minimal speed up improvements (eg. in terms of time-area product) compared to those intended for validation. As noted by Aumasson one of the main scheme design challenges is ensuring minimized efficiency on GPUs, FPGAs and ASICs (in order to minimize benefits of cracking-optimized implementations) and maximized efficiency on general-purpose CPUs (in order to maintain regular use efficiency).

        Defense against side-channel attacks:



        • Depending on the use-case (eg. for key derivation or authentication to a device seeking to protect against modification by the device owner) side-channel attacks might be a relevant avenue of attack. Password hashing schemes should aim to offer side-channel resilience. With regards to password hashing scheme security we will focus on security versus the cache-timing type of side-channel attacks given the existence of such attacks against the commonly used scrypt scheme. The second category of side-channel attacks we will take into consideration are so-called Garbage Collector Attacks (GCAs). GCAs have been discussed in literature as an instance of a 'memory leak' attack relevant to password hashing scheme security. GCAs consist of a scenario where an attacker has access to a target machine's internal memory either after termination of the hashing scheme or at some point where the password itself is still present in memory (the so-called WeakGCA variant)...






        share|improve this answer











        $endgroup$




        Why is it a good practice to use only the first 16 bytes of a hash for encryption?




        As you noted, it isn't.



        But, the problem is not with the "16 bytes" part of the statement, or the concern for collisions. The problem is with the "hash" part.



        16 bytes



        As stated in one of the links you shared, AES only uses key sizes of 128, 192, and 256 bits (or 16, 24, and 32 bytes, respectively). So the key must be one of these sizes, because AES simply does not support other key sizes.



        Trying to use a larger key could have a variety of possible outcomes depending on what the implementation chooses to do. It might raise an exception, or continue silently while only using the first N bits of the supplied key.



        Hashing a password to use as an encryption key



        Using a hash function such as MD5, SHA1, SHA2, SHA3, blake2, etc, would all be bad practice. The first two are obvious: MD5 and SHA1 are known to be weak in general.



        But even using a strong cryptographic hash like SHA3 or blake2 would also be bad, because they were not designed to solve the problem of deriving a key from a password. Use of a cryptographic hash function is involved in this process, but it is not the entirety of it.



        Good practice would be to use a dedicated key derivation function such as Argon2 that was designed to solve this problem.



        Why/How



        A normal hash function is designed to be fast and require little space.



        A hash function designed for use on passwords is quite the opposite: it is a slow function that requires lots of memory access, in an attempt to try and optimize the function towards what a consumer CPU is good at, and minimize the potential for optimization with special hardware. Specialized hardware is usable by an attacker, but a legitimate user is limited to a commodity CPU; The goal is to try and use a function that cannot take advantage of special hardware to the extent possible.



        Details about the hows and whys of password hashing are listed in this paper and quoted below (with minor modifications, e.g. removing citations and modified formatting):




        Cryptographic Security: The scheme should be cryptographically secure and as such possess the following properties:



        • 1) Preimage resistance

        • 2) Second preimage resistance

        • 3) collision resistance.

        In addition it should avoid other cryptographic weaknesses such as those present in (some)Merkle-Damgård constructions(e.g. length extension attacks, partial message collisions, etc)



        Defense against lookup table /TMTOAttacks:



        • The scheme should aim to make TMTO attacks that allow for precomputed lookup table generation, such as Rainbow Tables, infeasible

        Defense against CPU-optimized 'crackers':



        • The scheme should be ‘CPU-hard’, that is, it should require significant amounts of CPU processing in a manner that cannot be optimized away through either software or hardware. As such, cracking-optimized (multi-core) CPU software implementations (eg. written in assembly, testing multiple input sets in parallel) should offer only minimal speed-up improvements compared to those intended for validation (“slower for attackers, faster for defenders”).

        Defense against hardware-optimized 'crackers':



        • The scheme should be 'memory-hard', that is, it should significant amounts of RAM capacity in a manner that cannot be optimized away through eg. TMTO attacks. As such cracking-optimized ASIC, FPGA and GPU implementations should offer only minimal speed up improvements (eg. in terms of time-area product) compared to those intended for validation. As noted by Aumasson one of the main scheme design challenges is ensuring minimized efficiency on GPUs, FPGAs and ASICs (in order to minimize benefits of cracking-optimized implementations) and maximized efficiency on general-purpose CPUs (in order to maintain regular use efficiency).

        Defense against side-channel attacks:



        • Depending on the use-case (eg. for key derivation or authentication to a device seeking to protect against modification by the device owner) side-channel attacks might be a relevant avenue of attack. Password hashing schemes should aim to offer side-channel resilience. With regards to password hashing scheme security we will focus on security versus the cache-timing type of side-channel attacks given the existence of such attacks against the commonly used scrypt scheme. The second category of side-channel attacks we will take into consideration are so-called Garbage Collector Attacks (GCAs). GCAs have been discussed in literature as an instance of a 'memory leak' attack relevant to password hashing scheme security. GCAs consist of a scenario where an attacker has access to a target machine's internal memory either after termination of the hashing scheme or at some point where the password itself is still present in memory (the so-called WeakGCA variant)...







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 1 hour ago

























        answered 1 hour ago









        Ella RoseElla Rose

        16.8k44482




        16.8k44482




















            firendlyQuestion is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            firendlyQuestion is a new contributor. Be nice, and check out our Code of Conduct.












            firendlyQuestion is a new contributor. Be nice, and check out our Code of Conduct.











            firendlyQuestion is a new contributor. Be nice, and check out our Code of Conduct.














            Thanks for contributing an answer to Cryptography Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            Use MathJax to format equations. MathJax reference.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68545%2faes-why-is-it-a-good-practice-to-use-only-the-first-16bytes-of-a-hash-for-encry%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Isabella Eugénie Boyer Biographie | Références | Menu de navigationmodifiermodifier le codeComparator to Compute the Relative Value of a U.S. Dollar Amount – 1774 to Present.

            Image
            Personnalité américaine du monde des affairesPersonnalité féminine françaiseNaissance en décembre 1841Naissance à ParisDécès en mai 1904Décès à 62 ansDécès à Paris 17 décembre1841Paris12 mai1904Isaac Merritt SingerSingerNew York1863guerre civile américaineParisAngleterreguerre de 1870DevonOldway Mansion (en) PaigntonWinnarettaEdmond de Polignacduchesse DecazesdollarsVictor ReubsaetParisHumbert I er d'Italieviolon de StradivariusStatue de la LibertéBartholdi Isabella Eugénie Boyer.mw-parser-output .entete.humainbackground-image:url("//upload.wikimedia.org/wikipedia/commons/8/82/Picto_infobox_manwoman.png") Isabella Eugénie Boyer. Titre de noblesse Duchesse Biographie Naissance 17 décembre 1841 Paris Décès 12 mai 1904 (à 62 ans) Paris Sépulture Cimetière de Passy Nationalité Française Domicile Oldway Mansion ( en ) Activité Mannequin Con...
            Read more

            Join wedge with single bond in chemfigHow to make only one part of double bond bold with chemfig?Crossing bonds in chemfigjoining atoms in chemfig. Two adjacent molculesHow do I selectively change bond length in chemfig?Ugly bond joints in chemfigchemfig: reaction above arrowUsing the mhchem and chemfig packages in conjunctionBonding to specific element letter using chemfigResonance hybrids in chemfigScale chemfig molecule in beamer with tikzWhy does this chemfig bond with a hook start in the middle of the atom?

            Image
            Where does SFDX store details about scratch orgs? Decimal to roman python Is it possible to create light that imparts a greater proportion of its energy as momentum rather than heat? What is the word for reserving something for yourself before others do? How could indestructible materials be used in power generation? Issue with type force PATH search How to copy / replace first letter in a column of attribute table in ArcMap with field calculator and Python? A plague kills all white people book, probably 1960's Is it inappropriate for a student to attend their mentor's dissertation defense? How to model explosives? Twin primes whose sum is a cube Alternative to sending password over mail? Do I have a twin with permutated remainders? Why do I get two different answers for this counting problem? How badly should I try to prevent a user from XSSing themselves? What is going on with Captain Marvel's blood colour? I'm going to France and my pa...
            Read more

            Are small insurances worth itIs insurance worth it if you can afford to replace the item? If not, when is it?Is accident insurance worth it for my kids who play sportsIs insuring property for more than it is worth allowed?At what point does it become worth it to file an insurance claim?Are wage loss insurance programs worth the cost compared to having an emergency fund?When is an event worth insuring against?Is insurance worth it if you can afford to replace the item? If not, when is it?FHA loan just commenced : Any way to get any of the up-front mortgage insurance back?Which types of insurances do I need to buy?Should I carry less renter's insurance if I can self-insure?Mortgage Adviser Signed Me Up For Multiple Home and Life Insurances (UK)Why many travel insurances don't cover country of nationality?

            Image
            Does restoring a database break external synonyms targeting objects in that database? In the world of The Matrix, what is "popping"? “I had a flat in the centre of town, but I didn’t like living there, so …” My cassette model name doesn't seem to fit the actual cassette description.. (CS-HG50-9 and CS-HG500-10) Does the US political system, in principle, allow for a no-party system? An Undercover Army Too soon for a plot twist? How does learning spells work when leveling a multiclass character? What is the purpose of a disclaimer like "this is not legal advice"? What do I miss if I buy Monster Hunter: World late? Was it really inappropriate to write a pull request for the company I interviewed with? How spaceships determine each other's mass in space? Replacing tantalum capacitor with ceramic capacitor for Op Amps Ultrafilters as a double dual Insult for someone who "doesn't know anything" How do you make a gun tha...
            Read more