Using a password to generate two distinct hashes without reducing password security

Posted by Nevins on Stack Overflow See other posts from Stack Overflow or by Nevins
Published on 2010-04-21T14:47:17Z Indexed on 2010/05/13 23:14 UTC
Read the original article Hit count: 251

Hi there, I'm in the process of designing a web application that will require the storage of GPG keys in an encrypted format in a database.

I'm planning on storing the user's password in a bCrypt hash in the database. What I would like to be able to do is to use that bCrypt to authenticate the user then use the combination of the stored bCrypt hash and another hash of the password to encrypt and decrypt the GPG keys.

My question is whether I can do this without reducing the security of the password? I was thinking I may be able to use something like an HMAC-SHA256 of a static string using the password and a salt as the secret key.

Is there a better way to do this that I haven't thought of?

Thanks

© Stack Overflow or respective owner

Related posts about encryption

Related posts about cryptography