Password-based encryption in Java
We've discussed various types of encryption.
In all cases, we've assumed that the key is essentially
a series of random bytes. Sometimes they have structure: in the case of RSA encryption, for example, we actually construct
a random modulus from two random prime numbers (see the description of
the RSA algorithm). But essentially, we have
a series of random bytes generated programmatically; we assume that the user doesn't, for example,
select the two RSA primes, or choose the 16 bytes that form a 128-bit AES key.
Unfortunately, there are times when we do want the user to effectively select
the encryption key. We might want to encrypt a file based on a passphrase
entered by the user, so that it can be sent securely by e-mail.
In this case, we want the only secret information to be the passphrase.
The technique of generating a secret key from a user-generated passphrase is usually
called password-based encryption (PBE). As you might imagine, it is fraught with
difficulty. In particular:
- the user's requirement and the security requirement usually conflict:
the user requires an easy-to-remember passphrase, or at least one that's made of
recognisable characters and short enough to write down; yet for secure encryption
by today's standards, we require at least 128 strongly random bits (and ideally
- password-based encryption is typically used in applications where
an attacker can repeatedly try to guess the password undetected and beyond
the control of the genuine sender/recipient (if the password is being used to log
into our server, we can detect that so many invalid attempts were made and
in the worst case shut down our server to prevent further attempts;
but if an eavesdropper takes
a copy of the encrypted ZIP file we e-mailed, we'll never know that they're
sitting there with a 100,000-processor botnet trying to brute-force the password,
and they can essentially sit doing it for as long as they like).
The typical result is fairly dire: most password-protected data is encrypted with
weak encryption keys, and an attacker can spend all the processor time they
like trying to guess that weak key with complete impunity.
A typical password-based encryption scheme attempts to alleviate these
problems. On the next page, we discuss how PBE
works in a typical situation.