Javamex Home
 SecureRandom
 Java performance topics
 Synchronization and concurrency
 Java data compression

 Java tutorials home  Java cryptography  Encryption intro  Keys  Symmetric encryption  AES/block ciphers  Block modes (ECB, CTR, OFB)  Asymmetric encryption  RSA in Java  Comparison of algorithms  Key sizes  Hash functions

Search this site:
Threads Database Profiling Regular expressions Random numbers Compression Exceptions C Equivalents in Java

Password-based encryption in Java

We've discussed various types of encryption. In all cases, we've assumed that the key is essentially a series of random bytes. Sometimes they have structure: in the case of RSA encryption, for example, we actually construct a random modulus from two random prime numbers (see the description of the RSA algorithm). But essentially, we have a series of random bytes generated programmatically; we assume that the user doesn't, for example, select the two RSA primes, or choose the 16 bytes that form a 128-bit AES key.

Unfortunately, there are times when we do want the user to effectively select the encryption key. We might want to encrypt a file based on a passphrase entered by the user, so that it can be sent securely by e-mail. In this case, we want the only secret information to be the passphrase.

The technique of generating a secret key from a user-generated passphrase is usually called password-based encryption (PBE). As you might imagine, it is fraught with difficulty. In particular:

  • the user's requirement and the security requirement usually conflict: the user requires an easy-to-remember passphrase, or at least one that's made of recognisable characters and short enough to write down; yet for secure encryption by today's standards, we require at least 128 strongly random bits (and ideally more);
  • password-based encryption is typically used in applications where an attacker can repeatedly try to guess the password undetected and beyond the control of the genuine sender/recipient (if the password is being used to log into our server, we can detect that so many invalid attempts were made and in the worst case shut down our server to prevent further attempts; but if an eavesdropper takes a copy of the encrypted ZIP file we e-mailed, we'll never know that they're sitting there with a 100,000-processor botnet trying to brute-force the password, and they can essentially sit doing it for as long as they like).

The typical result is fairly dire: most password-protected data is encrypted with weak encryption keys, and an attacker can spend all the processor time they like trying to guess that weak key with complete impunity.

A typical password-based encryption scheme attempts to alleviate these problems. On the next page, we discuss how PBE works in a typical situation.

comments powered by Disqus

Written by Neil Coffey. Copyright © Javamex UK 2012. All rights reserved.