I searched all over the Net, including here on SO: There is a lot of discussion on the need to salt passwords before hashing and storing them.
In case the password is used to compute a key used for encryption ("Password Based Encryption"): what if you do not store the password at al?
- [Note: I did read SO: Passphrase, Salt and IV, do I need all of these? and Does IV work like salt are certainly a related question: I am not sure how the Initialization Vector discussed there relates to the question here]
Suppose:
For encryption
- the users enters a master password
- this is SHA256 hashed and the output is used to AES256 encrypt a file
- the hash is not stored (and obviously neither is the master password)
For decryption
- The users enters the master password
- This is SHA256 hashed and the output is used to decrypt the file
- If the decryption was successful, the password was - apparently - correct
My question:
When not storing anything except the encrypted file itself, is there any benefit in salting the master password before hashing it?
Considerations:
- it would probably reduce the likelihood of a hash-collision
- it would require the salt to be stored.
if the salt were lost/corrupted the user would not be able to decrypt the file anymore
how to check for successful decryption in step3: does this require part of the file contents to be known?
- if so, how much of a faux-pas is storing a known value in an encrypted file (this cannot always be prevented - an attacker might guess that for example the users last name is encrypted somewhere in the file - an be correct).