Is it safe to reuse the password when using AES-CTR with scrypt?What is the best-practice for encrypting small files?Single-purpose symmetric encryption scheme for single filesProper way of doing encryption and authentication (PBKDF2 + AES)CTR HMAC SHA256 implementationnonce of AES-GCM in SSLBest practises to generate IV for AES-CTR in this scenarioWhat is a safe maximum message size limit when encrypting files to disk with AES-GCM before the need to re-generate the key or NONCEIs it safe to store both the AES-related data and the PBKDF2-related data (except passwords) in one file?Is it safe to use unauthenticated AES CBC when encrypting random bytes?

Can my Boyfriend, who lives in the UK and has a Polish passport, visit me in the USA?

What is the evidence on the danger of feeding whole blueberries and grapes to infants and toddlers?

Find Two largest numbers in a list without using Array

Is there such a thing as too inconvenient?

How could Tony Stark wield the Infinity Nano Gauntlet - at all?

Can a Beast Master ranger choose a swarm as an animal companion?

Why don't politicians push for fossil fuel reduction by pointing out their scarcity?

My two team members in a remote location don't get along with each other; how can I improve working relations?

Levenshtein Neighbours

Is "stainless" a bulk or a surface property of stainless steel?

Unity: transform.LookAt(target) not "looking at" target?

Count the frequency of items in an array

Why do some academic journals requires a separate "summary" paragraph in addition to an abstract?

Are there categories whose internal hom is somewhat 'exotic'?

Earliest evidence of objects intended for future archaeologists?

What animal has fat with the highest energy density?

TechSupport Issue ID#812

What happened after the end of the Truman Show?

Why didn’t Doctor Strange stay in the original winning timeline?

Do living authors still get paid royalties for their old work?

Did the twin engined Lazair ultralight have a throttle for each engine?

Homogeneous Equations and Linear Algebra

How to translate 脑袋短路 into English?

How to dismiss intrusive questions from a colleague with whom I don't work?



Is it safe to reuse the password when using AES-CTR with scrypt?


What is the best-practice for encrypting small files?Single-purpose symmetric encryption scheme for single filesProper way of doing encryption and authentication (PBKDF2 + AES)CTR HMAC SHA256 implementationnonce of AES-GCM in SSLBest practises to generate IV for AES-CTR in this scenarioWhat is a safe maximum message size limit when encrypting files to disk with AES-GCM before the need to re-generate the key or NONCEIs it safe to store both the AES-related data and the PBKDF2-related data (except passwords) in one file?Is it safe to use unauthenticated AES CBC when encrypting random bytes?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1












$begingroup$


I want to encrypt several files with the scrypt encryption utility. Here is an overview of its file format, which gives an indication of what it does:



scrypt encrypted data format
----------------------------

offset length
0 6 "scrypt"
6 1 scrypt data file version number (== 0)
7 1 log2(N) (must be between 1 and 63 inclusive)
8 4 r (big-endian integer; must satisfy r * p < 2^30)
12 4 p (big-endian integer; must satisfy r * p < 2^30)
16 32 salt
48 16 first 16 bytes of SHA256(bytes 0 .. 47)
64 32 HMAC-SHA256(bytes 0 .. 63)
96 X data xor AES256-CTR key stream generated with nonce == 0
96+X 32 HMAC-SHA256(bytes 0 .. 96 + (X - 1))

AES256-CTR is computed with a 256-bit AES key key_enc, and HMAC-SHA256 is
computed with a 256-bit key key_hmac, where
 scrypt(password, salt, N, r, p, 64) == [key_enc][key_hmac]


Can I safely reuse the password for encrypting different files? I'm concerned that nonce is set to 0 and I know that reusing the key in the CTR mode is a big no-no. However, the key is generated by scrypt, which uses randomly generated salt. Is that enough to mitigate the problems with reusing the passphrase and having a fixed nonce?






aes ctr scrypt







share|improve this question









New contributor



mihao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$













  • $begingroup$
    related What is the best-practice for encrypting small files?
    $endgroup$
    – kelalaka
    5 hours ago

















1












$begingroup$


I want to encrypt several files with the scrypt encryption utility. Here is an overview of its file format, which gives an indication of what it does:



scrypt encrypted data format
----------------------------

offset length
0 6 "scrypt"
6 1 scrypt data file version number (== 0)
7 1 log2(N) (must be between 1 and 63 inclusive)
8 4 r (big-endian integer; must satisfy r * p < 2^30)
12 4 p (big-endian integer; must satisfy r * p < 2^30)
16 32 salt
48 16 first 16 bytes of SHA256(bytes 0 .. 47)
64 32 HMAC-SHA256(bytes 0 .. 63)
96 X data xor AES256-CTR key stream generated with nonce == 0
96+X 32 HMAC-SHA256(bytes 0 .. 96 + (X - 1))

AES256-CTR is computed with a 256-bit AES key key_enc, and HMAC-SHA256 is
computed with a 256-bit key key_hmac, where
 scrypt(password, salt, N, r, p, 64) == [key_enc][key_hmac]


Can I safely reuse the password for encrypting different files? I'm concerned that nonce is set to 0 and I know that reusing the key in the CTR mode is a big no-no. However, the key is generated by scrypt, which uses randomly generated salt. Is that enough to mitigate the problems with reusing the passphrase and having a fixed nonce?






aes ctr scrypt







share|improve this question









New contributor



mihao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$













  • $begingroup$
    related What is the best-practice for encrypting small files?
    $endgroup$
    – kelalaka
    5 hours ago













1












1








1


1



$begingroup$


I want to encrypt several files with the scrypt encryption utility. Here is an overview of its file format, which gives an indication of what it does:



scrypt encrypted data format
----------------------------

offset length
0 6 "scrypt"
6 1 scrypt data file version number (== 0)
7 1 log2(N) (must be between 1 and 63 inclusive)
8 4 r (big-endian integer; must satisfy r * p < 2^30)
12 4 p (big-endian integer; must satisfy r * p < 2^30)
16 32 salt
48 16 first 16 bytes of SHA256(bytes 0 .. 47)
64 32 HMAC-SHA256(bytes 0 .. 63)
96 X data xor AES256-CTR key stream generated with nonce == 0
96+X 32 HMAC-SHA256(bytes 0 .. 96 + (X - 1))

AES256-CTR is computed with a 256-bit AES key key_enc, and HMAC-SHA256 is
computed with a 256-bit key key_hmac, where
 scrypt(password, salt, N, r, p, 64) == [key_enc][key_hmac]


Can I safely reuse the password for encrypting different files? I'm concerned that nonce is set to 0 and I know that reusing the key in the CTR mode is a big no-no. However, the key is generated by scrypt, which uses randomly generated salt. Is that enough to mitigate the problems with reusing the passphrase and having a fixed nonce?






aes ctr scrypt







share|improve this question









New contributor



mihao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$




I want to encrypt several files with the scrypt encryption utility. Here is an overview of its file format, which gives an indication of what it does:



scrypt encrypted data format
----------------------------

offset length
0 6 "scrypt"
6 1 scrypt data file version number (== 0)
7 1 log2(N) (must be between 1 and 63 inclusive)
8 4 r (big-endian integer; must satisfy r * p < 2^30)
12 4 p (big-endian integer; must satisfy r * p < 2^30)
16 32 salt
48 16 first 16 bytes of SHA256(bytes 0 .. 47)
64 32 HMAC-SHA256(bytes 0 .. 63)
96 X data xor AES256-CTR key stream generated with nonce == 0
96+X 32 HMAC-SHA256(bytes 0 .. 96 + (X - 1))

AES256-CTR is computed with a 256-bit AES key key_enc, and HMAC-SHA256 is
computed with a 256-bit key key_hmac, where
 scrypt(password, salt, N, r, p, 64) == [key_enc][key_hmac]


Can I safely reuse the password for encrypting different files? I'm concerned that nonce is set to 0 and I know that reusing the key in the CTR mode is a big no-no. However, the key is generated by scrypt, which uses randomly generated salt. Is that enough to mitigate the problems with reusing the passphrase and having a fixed nonce?






aes ctr scrypt




aes ctr scrypt






share|improve this question









New contributor



mihao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










share|improve this question









New contributor



mihao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








share|improve this question




share|improve this question








edited 8 hours ago







mihao













New contributor



mihao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








asked 8 hours ago









mihaomihao

1063 bronze badges




1063 bronze badges




New contributor



mihao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




New contributor




mihao is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • $begingroup$
    related What is the best-practice for encrypting small files?
    $endgroup$
    – kelalaka
    5 hours ago
















  • $begingroup$
    related What is the best-practice for encrypting small files?
    $endgroup$
    – kelalaka
    5 hours ago















$begingroup$
related What is the best-practice for encrypting small files?
$endgroup$
– kelalaka
5 hours ago




$begingroup$
related What is the best-practice for encrypting small files?
$endgroup$
– kelalaka
5 hours ago










1 Answer
1






active

oldest

votes


















5












$begingroup$

CTR is insecure if you reuse a key/iv pair. Since the salt is random, a different encryption key will be derived every time you encrypt something. Therefore it is safe even if it always uses the zero IV. Of course, the password must be strong enough to resist brute force attacks.






share|improve this answer









$endgroup$










  • 1




    $begingroup$
    This paper supports this answer. (It explicitly says that deterministic encryption is fine for salt-randomizing password-based encryption)
    $endgroup$
    – SEJPM
    4 hours ago














Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






mihao is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72689%2fis-it-safe-to-reuse-the-password-when-using-aes-ctr-with-scrypt%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









5












$begingroup$

CTR is insecure if you reuse a key/iv pair. Since the salt is random, a different encryption key will be derived every time you encrypt something. Therefore it is safe even if it always uses the zero IV. Of course, the password must be strong enough to resist brute force attacks.






share|improve this answer









$endgroup$










  • 1




    $begingroup$
    This paper supports this answer. (It explicitly says that deterministic encryption is fine for salt-randomizing password-based encryption)
    $endgroup$
    – SEJPM
    4 hours ago
















5












$begingroup$

CTR is insecure if you reuse a key/iv pair. Since the salt is random, a different encryption key will be derived every time you encrypt something. Therefore it is safe even if it always uses the zero IV. Of course, the password must be strong enough to resist brute force attacks.






share|improve this answer









$endgroup$










  • 1




    $begingroup$
    This paper supports this answer. (It explicitly says that deterministic encryption is fine for salt-randomizing password-based encryption)
    $endgroup$
    – SEJPM
    4 hours ago














5












5








5





$begingroup$

CTR is insecure if you reuse a key/iv pair. Since the salt is random, a different encryption key will be derived every time you encrypt something. Therefore it is safe even if it always uses the zero IV. Of course, the password must be strong enough to resist brute force attacks.






share|improve this answer









$endgroup$



CTR is insecure if you reuse a key/iv pair. Since the salt is random, a different encryption key will be derived every time you encrypt something. Therefore it is safe even if it always uses the zero IV. Of course, the password must be strong enough to resist brute force attacks.







share|improve this answer












share|improve this answer



share|improve this answer










answered 7 hours ago









ConradoConrado

3,66815 silver badges30 bronze badges




3,66815 silver badges30 bronze badges










  • 1




    $begingroup$
    This paper supports this answer. (It explicitly says that deterministic encryption is fine for salt-randomizing password-based encryption)
    $endgroup$
    – SEJPM
    4 hours ago













  • 1




    $begingroup$
    This paper supports this answer. (It explicitly says that deterministic encryption is fine for salt-randomizing password-based encryption)
    $endgroup$
    – SEJPM
    4 hours ago








1




1




$begingroup$
This paper supports this answer. (It explicitly says that deterministic encryption is fine for salt-randomizing password-based encryption)
$endgroup$
– SEJPM
4 hours ago





$begingroup$
This paper supports this answer. (It explicitly says that deterministic encryption is fine for salt-randomizing password-based encryption)
$endgroup$
– SEJPM
4 hours ago











mihao is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















mihao is a new contributor. Be nice, and check out our Code of Conduct.












mihao is a new contributor. Be nice, and check out our Code of Conduct.











mihao is a new contributor. Be nice, and check out our Code of Conduct.














Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72689%2fis-it-safe-to-reuse-the-password-when-using-aes-ctr-with-scrypt%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

Image
Would it be easier to colonise a living world or a dead world? Postal services in Italy - Poste Italiane vs. Friendpost vs. GPS What is /dev/null and why can't I use hx on it? Why are engines with carburetors hard to start in cold weather? How to make a gift without seeming creepy? Without exposing his identity, did Roy help his parents with money so that they can afford to stay in their home? Does the Creighton Method of Natural Family Planning have a failure rate of 3.2% or less? How do I break the broom in Untitled Goose Game? Had there been instances of national states banning harmful imports before the mid-19th C Opium Wars? D&D Monsters and Copyright Is sleeping on the groud in cold weather better than on an air mattress? Transiting through Switzerland by coach with lots of cash quadratic equations on 2 by 2 matrices Always Lubricate Skewers? I pay for a service, but I miss the broadcast Iron-age tools, is there a way to extract heavy metals ...
Read more

Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

Image
Internet forum softwarePHP software Internet communityPHPMySQLdatabase management systemInternet forumCharles WarnerMatt MechamJarvis Entertainment GroupIkonboardInvisionFreeAjaxIPS Community ForumsIPS Community Forumsthis blog entry Invision Community From Wikipedia, the free encyclopedia Jump to navigation Jump to search Invision Community Developer(s) Invision Power Services Stable release 4.4.6 / August 19, 2019 ; 34 days ago  ( 2019-08-19 ) Platform PHP / MySQL Type Forum software License Proprietary Website invisioncommunity.com Invision Community (previously known as IPS Community Suite ) is primarily an Internet community software produced by Invision Power Services, Inc. It is written in PHP and uses MySQL as a database management system. Invision Power Services sell applications that each can be bought and installed separately in addition to the Suite, the most widely known being the Internet forum software Invision Power Boar...
Read more

François Viète Contents Biography Work and thought Bibliography See also Notes Further reading External links Navigation menup. 21Google Bookspp. 75–77Google BooksDe thou (from University of Saint Andrews)ArchivedGoogle BooksGoogle BooksGoogle BooksGoogle booksGoogle Bookscc-parthenay.frL'histoire universelle (fr)Universal History (en)ArchivedAdsabs.harvard.eduPagesperso-orange.frArchive.orgChikara Sasaki. Descartes' mathematical thought p.259Google BooksGoogle BooksGoogle Bookspp. 152 and onwardGoogle BooksGoogle BooksScribd.comGoogle Books1257-7979Google BooksGoogle BooksGoogle BooksGoogle BooksGoogle BooksGoogle BooksGallica.bnf.frGoogle BooksGoogle Books"François Viète"Francois Viète: Father of Modern Algebraic NotationThe Lawyer and the GamblerAbout TarporleySite de Jean-Paul GuichardL'algèbre nouvelle"About the Harmonicon"cb120511976(data)1188044800000 0001 0913 5903n82164680ola2013766880073431702w6vt1sb70287374827140948071409480

Image
1540 births1603 deathsPeople from Fontenay-le-ComtePre-19th-century cryptographers16th-century French mathematiciansAlgebraistsFrench cryptographersUniversity of Poitiers alumni LatinSeigneurFrenchmathematicianprivy councillorHenry IIIHenry IVFontenay-le-ComteVendéeLa RochelleLe BusseauBarnabé BrissonmagistrateCatholic League of France.FranciscanPoitiersBachelor of LawsKing Francis I of FranceMary, Queen of ScotsHuguenotLyonJacques of Savoy, 2nd Duke of NemoursMouchampsVendéeCatherine de ParthenayastronomytrigonometryStevinKeplerGiordano BrunoCharles IX of FranceParthenayColignyCondéQueen Jeanne d’Albret of NavarreHenry IV of FranceJacques de ThouSt. Bartholomew's Day massacreAdmiral ColignyJacques, Duke of NemoursParliament of BrittanyRennesHenri, duc de Rohanmaître des requêtesHenry of NavarreHenry III of FranceFontenayBeauvoir-sur-MerNew AlgebraJoseph Juste ScaligerToursSpanishcipherWars of ReligionAloysius LiliusChristopher ClaviusAdriaan van Room...
Read more