I'm implementing licensing in my Android application, and there is an array of 20 bytes that need to be passed into the AESObfuscator that is passed to the ServerManagedPolicy object. Can this array be generated randomly every time the code is ran, or does it have to be hardcoded?
Right now I'm randomly generating the salt like this:
private static final byte[] SALT;
static {
Random random = new Random();
random.setSeed(System.currentTimeMillis());
byte[] buf = new byte[20];
random.nextBytes(buf);
SALT = buf;
}
A bit late, but yes: the salt must remain the same to be able to decrypt the stored values again.
Basically Salting means randomizing a passphrase to make dictionary attacks a lot harder. How does a salt protect against a dictionary attack?
Update (one year later :) By the way: use a SecureRandom generator for the bytes in stead of a Random generator - it's better (I could go into detail, but you can find that elsewhere as well. http://docs.oracle.com/javase/7/docs/api/java/security/SecureRandom.html)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With