CryptBox:cryptography

with No Comments

Introduction

File Encryption and Decryption using Password Based Encryption (PBE).

Password-Based Encryption (PBE) derives an encryption key from a password. In order to make the task of getting from password to key very time-consuming for an attacker, most PBE implementations (as the one shown below) will mix in a random number, known as a salt, to create the key.

PBE algorithm supported in j2se1.4 (Other algorithms are supported in later versions of the SunJCE and other providers)

There are times when we want to effectively select the encryption key. We might want to encrypt a file based on a passphrase entered by us, so that we can remember it. In this case, we want the only secret information to be the passphrase.

The technique of generating a secret key from a user-generated passphrase is usually called password-based encryption (PBE). As you might imagine, it is loaded with difficulty. In particular:

  • Our requirement and the security requirement usually conflict: we require an easy-to-remember passphrase, or at least one that’s made of recognisable characters and short enough to write down; yet for secure encryption by today’s standards, we require at least 128 strongly random bits (and ideally more);
  • password-based encryption is typically used in applications where an attacker can repeatedly try to guess the password undetected and beyond the control of the genuine sender/recipient (if the password is being used to log into the server, it can be detect that so many invalid attempts were made and in the worst case shut down the server to prevent further attempts; but if an eavesdropper takes a copy of the encrypted ZIP file we use, we’ll never know that they’re sitting there with a 100,000-processor botnet trying to brute-force the password, and they can essentially sit doing it for as long as they like).

PBE (Password Based Encryption) = hashing + symmetric encryption

A 64 bit random number (the salt) is added to the password and hashed using a Message Digest Algorithm (e.g. MD5).
Number of times the password is hashed is determined by the iteration count.  Adding a random number and hashing multiple times enlarges the key space.

Important links to project and source code:

Download executable file

download source code