Password-based encryption in Java

We've discussed various types of encryption. In all cases, we've assumed that the key is essentially a series of random bytes. Sometimes they have structure: in the case of RSA encryption, for example, we actually construct a random modulus from two random prime numbers (see the description of the RSA algorithm). But essentially, we have a series of random bytes generated programmatically; we assume that the user doesn't, for example, select the two RSA primes, or choose the 16 bytes that form a 128-bit AES key.

Unfortunately, there are times when we do want the user to effectively select the encryption key. We might want to encrypt a file based on a passphrase entered by the user, so that it can be sent securely by e-mail. In this case, we want the only secret information to be the passphrase.

The technique of generating a secret key from a user-generated passphrase is usually called password-based encryption (PBE). As you might imagine, it is fraught with difficulty. In particular:

The typical result is fairly dire: most password-protected data is encrypted with weak encryption keys, and an attacker can spend all the processor time they like trying to guess that weak key with complete impunity.

A typical password-based encryption scheme attempts to alleviate these problems. On the next page, we discuss how PBE works in a typical situation.