I'm doing password based file encryption in Java; I'm using AES as the underlying encryption algorithm and PBKDF2WithHmacSHA1
to derive a key from a salt and password combination using the following code (which I got from another generous poster on this site).
SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
KeySpec ks = new PBEKeySpec(password,salt,1024,128);
SecretKey s = f.generateSecret(ks);
Key k = new SecretKeySpec(s.getEncoded(),"AES");
I share the salt, the user enters their password at each end and encryption and decryption work fine :-) My problem is that i would like to be able to verify that the password the user enters is correct before embarking on the (potentially long) decryption process. I know the PBKD spec includes an optional 2 byte verification value but I'm not sure how to generate this value using the above approach. Does Java provide support for this or if not what would be a secure alternative?
Thanks for your time.
If you are a java developer, PBKDF2 is an excellent algorithm to use. In PBKDF2 we can force the algorithm to behave slowly by increasing its iteration count. Following is a simple tutorial explaining how to use PBKDF2 algorithm to hash the passwords.
PBKDF2 applies a pseudorandom function, such as hash-based message authentication code (HMAC), to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations.
PBKDF2 is recommended by NIST and has FIPS-140 validated implementations. So, it should be the preferred algorithm when these are required. PBKDF2 requires that you select an internal hashing algorithm such as an HMAC or a variety of other hashing algorithms. HMAC-SHA-256 is widely supported and is recommended by NIST.
PBKDF2 is a one-way hashing algorithm. It's not possible to decrypt the generated hash.
There is no "quick check" mechanism that is secure, by definition. The whole point of using PBKDF2 or related techniques is to make password checking slow, to foil password cracking programs. If you added a quick check system, password crackers would be able to guess passwords in bulk very quickly.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With