Comments (7)
SyntaxPolice
commented on August 27, 2024
In fact, in order to make it harder to brute force passwords, that algorithm is intentionally slowed down by doing a large number of rounds.
If you want to speed up your app, you could consider moving key generation to a different thread or caching the result of the computation so you don't have to run it multiple times. Alternately, at reduced security, you can lower the iteration count until performance is acceptable. The minimum count is 1000 but there is no "correct" number; it's really a trade-off on acceptable performance vs. threats.
You can alter this line in your copy of the library to lower the iteration count:
private static final int PBE_ITERATION_COUNT = 10000;
As with changing the algorithm, you would indeed have to transition from the old key generation method to the new one for existing users, since the resulting keys will be different for a different number of rounds. You could store the # of iterations in a preference or something as that number is not considered a secret.
We've had some requests to parameterize these and other constants, so if you're interested in helping out, we'd consider pull requests!
isaac
from java-aes-crypto.
ScottPierce
commented on August 27, 2024
Thanks for your prompt response. I understand a bit better now.
Why do you say that the minimum count is 1000? It looks like the PBEKeySpec implementation just checks that the iteration count is greater than zero.
from java-aes-crypto.
SyntaxPolice
commented on August 27, 2024
1000 is the minimum recommended by IETF and NIST. I don't think it'll break anything to reduce it further, except security:
http://dx.doi.org/10.6028/NIST.SP.800-132
https://tools.ietf.org/html/rfc2898#page-8
peace,
isaac
from java-aes-crypto.
ScottPierce
commented on August 27, 2024
I see. Makes sense. Do you have any thoughts on the API? What's somewhat tricky is that the user will need to maintain the exact same settings each time the SecretKeys are generated.
Would this be per SecretKeys creation, or a static setting that would effect all SecretKeys?
from java-aes-crypto.
SyntaxPolice
commented on August 27, 2024
It does have to be the same per key. Actually storing it next to the serialized key/salt/IV is probably the right thing. That would be a good addition to the library. So wherever you store the key, store its iteration count too.
from java-aes-crypto.
ScottPierce
commented on August 27, 2024
It would need to be backwards compatible. Probably defaulting to 10000 if it can't find the stored number of iterations.
from java-aes-crypto.
SyntaxPolice
commented on August 27, 2024
That sounds right, although I know nothing if your application logic.
Note you can convert the existing keys, but only by re-encrypting your ciphertext, e.g.
PBEKey = (10,000)
plain = decrypt (PBEKey, ciphertext)
newPBEKey = (9,000)
newCiphertext = encrypt (newPBEkey, plain)
Must be done w/ extreme care so as not to lose ciphertext.
peace,
isaac
from java-aes-crypto.
Related Issues (20)
- Allow some params to be editable HOT 2
- Any way to encrypt and decrypt on different devices? HOT 8
- Question about license and using strong encryption outside of USA HOT 2
- Support for GCM chiper transformation HOT 5
- aes-crypto missing from Maven Central HOT 4
- request: java jre/jdk specific version HOT 5
- Where should I store the salt? HOT 1
- Encrypted Stream... HOT 2
- Caller-provided IV not permitted HOT 2
- android decode was not quickly
- Simple native java code to decipher this encryption HOT 1
- Add feature to store keys in Java Keystore (JKS) / Android Keystore (AKS) HOT 14
- SecureRandom.getInstance("SHA1PRNG") is deprecated HOT 2
- Build.SERIAL is deprecated in SDK 26 and will return UNKNOWN HOT 4
- Users be warned. SHA 256 instead of PBKDF2 HOT 2
- Security alert on our production app on google play console HOT 6
- Decryption returning something weird. HOT 3
- AES CRYPTOID
- 更新 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from java-aes-crypto.