Implement Password-Based Key Derivation for File Encryption/Decryption Script

[Vikranth3140]

This pull request enhances the file encryption and decryption script by introducing password-based key derivation using the PBKDF2-HMAC-SHA256 algorithm. Instead of storing the encryption key on disk, the key is now securely derived from a user-provided password. This change improves security by eliminating the need to manage and protect a separate key file.

---

Key Changes:

• Password-Based Key Derivation:

  • Implemented the get_key_from_password function to derive the encryption key from a password using PBKDF2 with HMAC-SHA256.
  • The key derivation includes:
  • Password Input: Securely prompts the user for a password without echoing it to the console.
  • Salt: Uses a fixed salt for simplicity (note: in production, a unique, securely stored salt should be used).
  • Iterations: Set to 100,000 to balance security and performance.

• Encryption and Decryption Functions:

  • Updated encrypt_file and decrypt_file functions to use the derived key from the provided password.
  • Removed reliance on reading from and writing to a key file (secret.key).

• Command-Line Interface:

  • Modified the script's CLI to remove the key generation option.
  • Users now provide a password when encrypting or decrypting files:
  • Encryption: python script.py -e <filename>
  • Decryption: python script.py -d <filename.encrypted>

• Error Handling and User Feedback:

  • Added exception handling for file not found errors and invalid decryption attempts.
  • Provides informative messages to the user for successful operations and errors.

• Security Considerations:

  • Password Strength: Emphasizes the need for users to choose strong, complex passwords.
  • Salt Management: Notes that in a production environment, a unique salt should be generated and stored securely with each encrypted file.
  • Iteration Count: The iteration count can be adjusted for stronger security at the cost of performance.

• Code Cleanup:

  • Removed obsolete functions related to key file generation and loading (generate_key, load_key).
  • Simplified the codebase by focusing on password-derived keys.

---

Benefits:

• Enhanced Security:

  • Eliminates the need to store an encryption key on disk, reducing the risk of key compromise.
  • Ties encryption directly to a user-provided password, allowing for personalized security.

• User Convenience:

  • Users no longer need to manage separate key files.
  • The script becomes more portable and easier to use across different environments.

• Flexibility:

  • Suitable for personal use cases where individual users encrypt and decrypt their own files.
  • Can be extended or integrated into applications requiring password-based encryption.

---

Usage Instructions:

• Encrypt a File:

  python script.py -e <filename>

  • The script will prompt: Enter password for encryption:
  • An encrypted file <filename>.encrypted will be created.

• Decrypt a File:

  python script.py -d <filename.encrypted>

  • The script will prompt: Enter password for decryption:
  • A decrypted file will be created with the .encrypted extension removed.

---

Security Recommendations:

• Password Management:

  • Users should choose strong, unique passwords and manage them securely.
  • Consider integrating password strength validation to enforce complexity requirements.

• Salt Usage:

  • Replace the fixed salt with a unique, securely generated salt for each encryption operation.
  • Store the salt alongside the encrypted data (e.g., prepend it to the encrypted file).

  # Generate a random salt
  salt = os.urandom(16)

• Adjustable Iterations:

  • Increase the number of iterations in the KDF to enhance security, keeping in mind the performance trade-off.

• Exception Handling:

  • Implement additional error handling as needed for robustness.

[Vikranth3140]

We have updated the file encryption and decryption script to enhance security by introducing a unique, randomly generated salt for each encryption operation. The salt is now securely generated and stored alongside the encrypted data by prepending it to the encrypted file. This change improves the robustness of the password-based key derivation process and provides stronger protection against certain types of cryptographic attacks.

---

Key Changes:

• Dynamic Salt Generation:

  • For each encryption operation, a new 16-byte random salt is generated using os.urandom(16).
  • This ensures that even if the same password is used to encrypt multiple files, the derived encryption keys will be different due to the unique salts.

• Salt Storage:

  • The generated salt is prepended to the encrypted data when writing to the encrypted file.
  • During decryption, the script reads the salt from the beginning of the encrypted file to derive the correct decryption key.

• Updated Key Derivation Function:

  • The get_key_from_password function now accepts a salt parameter.
  • The key derivation process uses the provided salt along with the user’s password to generate a unique encryption key using PBKDF2 HMAC-SHA256.

• Modified Encryption and Decryption Functions:

  • Encryption (encrypt_file):
  • Generates a random salt and derives the encryption key using the password and salt.
  • Writes the salt and encrypted data to the output file.
  • Decryption (decrypt_file):
  • Reads the salt from the encrypted file before reading the encrypted data.
  • Derives the decryption key using the password and extracted salt.

---

Benefits of Using a Random Salt:

• Enhanced Security:

  • Unique salts prevent attackers from using precomputed rainbow tables to guess passwords.
  • Even if the same password is used multiple times, the resulting encryption keys and encrypted data will differ due to the unique salts.

• Improved Key Uniqueness:

  • Each encryption operation produces a different key, reducing the risk associated with key reuse.

• Resistance to Attack:

  • Makes it significantly harder for attackers to perform successful brute-force or dictionary attacks against the encrypted data.

---

Usage Instructions:

• Encrypting a File:

  python script.py -e <filename>

  • You will be prompted to enter a password for encryption.
  • The script generates a random salt, derives the key, encrypts the file, and prepends the salt to the encrypted data.
  • The encrypted file is saved as <filename>.encrypted.

• Decrypting a File:

  python script.py -d <filename>.encrypted

  • You will be prompted to enter the password used during encryption.
  • The script reads the salt from the encrypted file, derives the key, and decrypts the data.
  • The decrypted file is saved with the .encrypted extension removed.

---

Important Considerations:

• Password Management:

  • Users should choose strong, complex passwords to maximize security.
  • Passwords should be kept confidential to prevent unauthorized access.

• Salt Handling:

  • The salt size is set to 16 bytes (128 bits), which provides sufficient uniqueness.
  • Storing the salt with the encrypted data (by prepending it) ensures it is available for decryption without separate management.

• Performance:

  • The iteration count in the key derivation function is set to 100,000. This balances security and performance but can be adjusted if necessary.

---

Summary:

This update significantly enhances the security of the encryption/decryption script by ensuring that each encryption operation is unique due to the use of random salts. By storing the salt with the encrypted data, we maintain ease of use while providing stronger protection against attacks.