Does BCrypt uses AES 448bit encryption?

Question

I'm creating a HIPPA compliant web app in JAVA and for that i'm using

BCryptPasswordEncoder().encode("12345678");

My Questions are:

1: Does the Hash generated by above code is encrypted by AES Algorithm?

2: Does the Hash generated by above code is encrypted by minimum 256 bit key?

Answer 1

BCrypt doesn't use AES. It uses Blowfish which is a sibling/predecessor to AES.

Password hashing creates a huge number from the original input. BCrypt protects against the following kinds of attacks:

• You can't guess or calculate the original password from the hash
• Hashing a single password is expensive to protect against brute-force password guessing attacks where an attacker simply tries to create the same hash by running random input through the algorithm.
• Encoding the same password twice gives different hashes (a.k.a salting) to protect against rainbow table attacks.

Usually, symmetric codecs like AES and blowfish aren't suitable for hashing password (since you can decode the output when you know the key). BCrypt works around this by initializing the codec with the password and then encoding a known message (OrpheanBeholderScryDoubt) to create a 192 bit "hash value".

The input is 72 bytes max but most implementations only use 56 bytes of that. The key which is used to encrypt the known message is 448 bits and is built from an initial key + salt + password. The result is cost followed by 128bit salt and 192 "hash"

Related:

• bcyrpt (Wikipedia)
• https://en.wikipedia.org/wiki/Password_cracking
• Eksblofish Algorithm
• Bcrypt algorithm
• Spring Security implementation of BCrypt