Understanding PBE | Java Security Solutions

One of the algorithms supported by the JDK 1.4 actually works on top of DES and Triple-DES. The algorithm known as Password Based Encryption (PBE) is described in the RSA documentation PKCS#5 from RSA.

Note	The RSA reference to Password Based Encryption can be found at http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html .

PBE works on top of DES and Triple-DES and simply provides the ability to use a password to generate an encryption key. The password used to generate the key could be anything meaningful to a user or even a random value. After the key is generated, the cipher can encrypt or decrypt the message using DES or Triple-DES. The differences in the parameters are PBEWithMD5AndDES for DES and PBEWithMD5AndTripleDES for Triple-DES.

The PBE is based on creating a key generated from the password. The same password generates the same data in the key. When the key is passed in the cipher, the key needs an iteration count and salt. The iteration count is used for the number of iterations to pass through the message digest. The salt is a random number of bytes that will be hashed into the password to randomize the password.

Note	Salting the password makes the password more random to avoid patterns in the key.

After the password is salted, the cipher passes the password through a message digest, in this case MD5, and digests the salted password based on the number of times given by the iteration count. After the password is salted and digested the given number of times, the resulting key is used in DES like a normal key. The PBE specification specifies that the PBE algorithm must be done in the CBC mode and PKCS5Padding for the message for 64-bits. See Figure 14-1 for an example of these key combinations.

Figure 14-1: The PBE key for DES and Triple-DES

By default, the DES and Triple-DES PBE algorithms set the iteration count to 10. The PBE specification recommends setting the iteration count to 1000. To bypass the defaults of the cipher, the javax.crypto.spec.PBEParameterSpec class or the algorithm parameters that were created with the PBEParameterSpec class can be passed in. The PBEParameterSpec class takes in two parameters, a byte array containing the salt and an integer that represents the iteration count. The password is a character array passed in the javax.crypto.spec.PBEKeySpec class to create the key. Whatever is used by the cipher engine as the salt and iteration count, both must match the encryption and decryption. The salt could be considered as an extra subkey , like the initialization vector (IV).

Note	Recall from Chapter 12 that since the first round of plaintext doesn't have a previous ciphertext block to work with, an initialization vector is used to simulate a block of ciphertext for the first round.

The iteration count controls the number of iterations of the digest. When the same password is salted and then digested x number of times, it produces the same results.

The purpose of the algorithm is to provide a cryptographically secure key that can be generated from a password and to duplicate the same key given the same parameters. If the encryption and decryption are used in different applications, a decision has to be made on how to pass the salt and iteration count to both applications, or to use the default. Listing 14-1 demonstrates a sample application for PBE, the key; using MD5, the digest; and using DES, the cipher.

Listing 14-1: The TestPBECiphers class: PBE cipher testing

 package com.richware.chap14;     import java.io.*; import java.math.BigInteger; import java.security.*; import javax.crypto.interfaces.*; import javax.crypto.spec.*; import javax.crypto.*; import sun.misc.*;     /**  * Class TestPBECiphers  * Description: This is an example to  * test the PBE ciphers.  *  * Copyright:    Copyright (c) 2002 Wiley Publishing, Inc.  * @author Rich Helton <rhelton@richware.com>  * @version 1.0  * DISCLAIMER: Please refer to the disclaimer at the beginning of this book.  */ public final class TestPBECiphers  {   /**    * Constructor TestPBECiphers    */   public TestPBECiphers() {}       /**    * Method main    * Description: This is a main test driver.    *    *    * @param args none    *    */   public static void main(String[] args)    {     try      {       /*        * Message to encrypt/decrypt        */       String message = "This is a test, hackers beware.";           /*        * Set the password        */       char[] Password = new char[8];       Password[0] = 'P';       Password[1] = 'a';       Password[2] = 's';       Password[3] = 's';       Password[4] = 'M';       Password[5] = 'e';       Password[6] = '2';       Password[7] = '1';           /*        * Create the key from the password        */       PBEKeySpec keySpec = new PBEKeySpec(Password);           /*        * Form the secret key factory        * for secretKey generation        */       SecretKeyFactory keyfactory =         SecretKeyFactory.getInstance("PBEWithMD5AndDES");           /*        * Generate the secret key        */       SecretKey secretkey = keyfactory.generateSecret(keySpec);       /*        * Create a base-64 encoder for displaying binary data.        */       BASE64Encoder encoder = new BASE64Encoder();           /*        * Create a byte array from the message.        */       byte[] messageBytes = message.getBytes("UTF8");           /*        * Create the cipher algorithms        * cipher is formatted algorithm/mode/padding or algorithm        */       Cipher cipher  = Cipher.getInstance("PBEWithMD5AndDES");       Cipher cipher2 = Cipher.getInstance("PBEWithMD5AndDES");           /*        * Encrypt the message with the secret key.        */       cipher.init(Cipher.ENCRYPT_MODE, secretkey);       byte[] encryptedMessage =         cipher.doFinal(messageBytes, 0, messageBytes.length);       System.out.println("Encrypted message:\n"                          + encoder.encode(encryptedMessage));           /*        * retrieve parameters generated by underlying cipher        * implementation        */       AlgorithmParameters algParams = cipher.getParameters();       Class               PBEClass  =         Class.forName("javax.crypto.spec.PBEParameterSpec");           /*        * get the PBEParameterSpec        * to read the salt and IterationCount        */       PBEParameterSpec spec =         (PBEParameterSpec) algParams           .getParameterSpec(PBEClass);           /*        * Get the salt and iteration generated by the cipher        * implementation        */       System.out.println("Salt:"                          + encoder.encode(spec.getSalt()));       System.out.println("IterationCount:"                          + spec.getIterationCount());           /*        * Decrypt the message with the secret key.        * PBE Decryption requires algorithm parameters        * The algorithm parameters include Salt and iteration        */       cipher2.init(Cipher.DECRYPT_MODE, secretkey, algParams);       byte[] decryptedMessage       =         cipher2.doFinal(encryptedMessage, 0,                         encryptedMessage.length);       String decryptedMessageString =         new String(decryptedMessage, "UTF8");       System.out.println("\nDecrypted message: "                          + decryptedMessageString);           /*        * Check that the decrypted message and the original        * message are the same.        */       if (decryptedMessageString.equals(message))        {         System.out.println("\nTest succeeded.");       }       else        {         System.out.println("\nTest failed.");       }     }         /*      * Catches      */     catch (Exception ex)      {       ex.printStackTrace();     }   } }

Table of content

Java Security Solutions

ISBN: 0764549286
EAN: 2147483647

Year: 2001
Pages: 222

Authors: Rich Helton, Johennie Helton

BUY ON AMAZON

Crystal Reports 9 on Oracle (Database Professionals)

A+ Fast Pass

The CISSP and CAP Prep Guide: Platinum Edition

Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))

Microsoft VBScript Professional Projects

File System Forensic Analysis