Is it possible to add a "Master" password for an encrypt/decrypt program?

Question

Hi!

I've written an encryption program that encrypts and decrypts selected files using a user-entered password as the encryption key.

Once en/decrypted, the user will be asked if they want to delete the file that was used, and, in the case of decryption, open the newly decrypted file.

My brother came up with an idea for this application yesterday that might save me a lot of grief should I forget a password. He suggested I set a "Master" password that I can enter to decrypt any file that was encrypted with this application. Something simple so it's easy to remember in case I forget a password I used to encrypt the file in the first place.

Based on the fact that the password serves as the encryption key, can it be done? If so, how?

The code sample I used (and have since modified for greater functionality) was found here: http://www.codeproject.com/KB/security/EncryptFile.aspx

Thanks in advance!

Answer 1

No, if you want a "master password", then you'll have to make the encryption key something standard, then secure access to the key with a password. If the key is based on the password, then there's no overriding it.

Answer 2

There are at least two ways that I can think of right now:

1) Use the master password to encrypt the other passwords. This is how things like the KDE Wallet do, they simply secure your passwords with something that will hopefully be easy to remember.

2) Use mathematically related keys. This is much more difficult to do, as it takes a lot more brains as well as more computational power to achieve. I suggest you read more on the subject here and here if you're interested.

Answer 3

I'm not sure if this is the answer, but I would look into public key cryptography. I did some research and implementation on RSA Encryption a while back and I'm sure you can create some kind of algorithm to do it using that.

This should start you off

http://en.wikipedia.org/wiki/Public-key_cryptography

(Also, look up RSA encryption on wikipedia, seeing as how I can only post one link without more rep points apparently.)

Lastly, I don't know what language you're using, but I used Visual Basic, and it provides some stuff to handle RSA.

Answer 4

_NT's answer is pretty close to how you probably want to do this, but (IMO) not quite right. In particular, if you use the master password to encrypt the other passwords, you must always enter the master password to decrypt a file.

At least as I read what you've said, what you really want is to enter either the file's password, or (if you forget that) the master password. This is also possible, but works a bit differently. To do it, you typically want to generate a random key that's used to encrypt the contents of the file itself. You then encrypt that key with the file password, and store the encrypted key along with the file. You separately encrypt the key with the master password, and store that encrypted key along with the file as well.

When it comes time to decrypt the file, you have the user enter the file password, use that to decrypt the key, and the decrypted key to decrypt the file. If they've forgotten the file key, they enter the master password. You use that to decrypt the key that was encrypted with the master password, and use that key to decrypt the file.

As you can readily see, this method will support an arbitrary number of separate passwords, not just two. Just for example, you can use this for multi-user access to an encrypted file. Each user who's supposed to get access to the file has their own encrypted key stored with the file, and each uses their own password to access the file.

Answer 5

You could always create a file that is encrypted using your master password. In this file, you would store all used password you use. By using your master password, you could program your application to use the file.

I think this is the closest you can get to your problem at hand without the actual password.