14Mar
Secure Offline Login and Data Encryption with PBKDF2 and AES-256
I'm working on a project that requires offline functionality, including offline login and secure data manipulation. I'd appreciate feedback on my chosen approach and best practices for secure design.
Scenario:
Users need to perform CRUD operations on sensitive data even when offline. No dedicated security hardware is available. Proposed Approach:
Offline Authentication:
User password is hashed using PBKDF2. SHA-512 hash of the PBKDF2 output is stored for verification during offline login attempts.
Data Encryption:
A random key is generated for encrypting sensitive data using AES-256. The PBKDF2 output is used as a Key Encryption Key (KEK) to securely store the random data encryption key.
Questions:
- Security Review: How secure is this design? Are there any vulnerabilities or areas for improvement?
- Best Practices: How can I best evaluate the security of similar designs in the future?
- HMAC for Offline Duration: Could HMAC be used to limit the duration a user can work offline? If so, how can it be integrated effectively?