0

It is new for me to work with the Crypto++ library and I'm not going to understand why they say CBC-Mode is usually not enough to protect/secure my data.

So can I deal with the CBC-Mode if I would like to use it with user passwords or not?

EDIT (from the comments):

I would like to create a program that encrypt strings with the Crypto++ library. I would like to transform data in order to keep it secret, like user passwords from a program/website, I mean like a password saver/container, with AES.

jww
  • 97,681
  • 90
  • 411
  • 885
AdamGe09
  • 1
  • 1
  • You should take a look at [Argon2](https://en.wikipedia.org/wiki/Argon2), which was specially designed to hash passwords and won the PHC 2015 competition. Its reference implementation is in [C / C++](https://github.com/p-h-c/phc-winner-argon2) – nada Apr 16 '19 at 12:19
  • 1
    CBC is not the way to go. As a programmer, don't invent new methods like how to hash passwords, use tested tried and true methods instead, designed by people, who work in the field. – nada Apr 16 '19 at 12:22
  • Frist, thanks for the fast answer. Okay thanks. – AdamGe09 Apr 16 '19 at 12:23
  • Also, this might not be great advice, but personally, I stopped trying to understand everything cryptographers reason/do. *Over there* things get complicated and messy quickly and you can easily break things by implementing secure algorithms in a wrong way. Just trust your friends over at https://security.stackexchange.com/ :) – nada Apr 16 '19 at 12:31
  • Haha okay :) I think your right, i watched the opensource code from the cryptopp lib....thats really 'stackoverflow'. I will looking for some nice advise and informations about a 'good' lib to use in my programm :) The page is great, i never hearded about that before. – AdamGe09 Apr 16 '19 at 12:37
  • I would like to create a programm that encrypt strings with the Crypto++ library. I would like to transform data in order to keep it secret, like user passwords from a programm/website, I mean like a password saver/container, with AES. – AdamGe09 Apr 16 '19 at 15:10
  • Without the full requirements I doubt anyone is going to be able to help you. If you are encrypting strings, then you should consider either (1) block cipher operated with an [authenticated encryption](https://www.cryptopp.com/wiki/Authenticated_Encryption) mode; (2) stream cipher with authentication tag, like [ChaChaPoly1305](https://www.cryptopp.com/wiki/ChaCha20Poly1305); or (3) [ECIES](https://www.cryptopp.com/wiki/Elliptic_Curve_Integrated_Encryption_Scheme) or other integrated encryption scheme. – jww Apr 16 '19 at 17:13
  • ECIES (3) is most likely a better choice because it is [IND-CCA2](https://en.wikipedia.org/wiki/Ciphertext_indistinguishability#IND-CCA2), which is a strong notion of security. IND-CCA2 means an attacker cannot distinguish ciphertext from random with more than negligible probability. And since ECIES is an integrated scheme the attacker won't find oracles to help guess at the strings. – jww Apr 16 '19 at 17:13
  • 2
    Please see this [question](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords) – kelalaka Apr 16 '19 at 17:32
  • 2
    Possible duplicate of [How can I hash a password in Java?](https://stackoverflow.com/questions/2860943/how-can-i-hash-a-password-in-java) – Gilles 'SO- stop being evil' Apr 16 '19 at 21:01
  • 1
    Don't use CBC mode for anything. If you need to encrypt, use an AEAD mode. But [passwords need special handling, not encryption](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords). – Gilles 'SO- stop being evil' Apr 16 '19 at 21:02

0 Answers0