cryptography - Deterministic Encryption - Generating IV from password key

Question

I need to encrypt file and directory names/paths but I need the encryption to be deterministic. I need to sync the local files with a cloud storage provider so I can't use probabilistic encryption.

Know that you should not use a static IV when encrypting text, would this be an acceptable work around:

• Run passphrase through scrypt and store resulting output
• Take the resulting output from scrypt and hash it (using MD5 for example)
• Take the first 16 bytes of the hash and use it as the IV to encrypt the directory and file name

The only other thing I can think of:

• Use probabilistic encryption
• Read the directory/file structure from the cloud service provider and local directory
• Map all the encrypted cloud provider names with their decrypted values
• Map all the encrypted local names with their decrypted values
• Sync based on the mappings found above

The only issue with that is that it is time consuming and really difficult to implement when using different cloud service providers.

question from:https://stackoverflow.com/questions/65648656/deterministic-encryption-generating-iv-from-password-key

Answer 1

In order to securely encrypt data, you need to use a different key/IV pair for each message. If you don't, you leak a lot of information about the encryption and it becomes very weak. However, it's not too difficult to do if you have an incrementing counter that never repeats:

• Generate a random salt (32 bytes) and store it with the rest of the data. This is public.
• Take the current version of the counter as a 32-bit or 64-bit integer.
• Use scrypt with your passphrase, and for the salt, concatenate your salt and the counter. Take enough bytes out for both a key and an IV.
• Encrypt your file or directory name (ideally with an AEAD if possible, such as AES-GCM or ChaCha20-Poly1305) using the key and IV you've generated. Prepend the counter as an integer.
• Increment the counter and store the new counter.

Using a key derivation function like scrypt to generate both the key and IV is secure as long as your use a different salt each time. By generating a random salt, which can be used for your entire project, and then appending a counter, you're producing salts that are both distinct and different from those used by others. Using just the counter wouldn't be distinct enough.

Your proposed idea will use the same key/IV pair for each file name encryption, which would be weak. It doesn't matter how you generate that same key/IV pair, using the same one would remain weak. You must also never reuse the counter in my proposal above, because otherwise you generate the same key/IV pair from scrypt. You can reuse the same counter if you change the random salt, though.

As a note, you should avoid using MD5 for any reason. SHA-256 or BLAKE2b are better choices in all situations.