Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Password digesting in Java

Options
  • 23-02-2008 2:57pm
    #1
    Mr. CooL ICE
    Registered Users Posts: 17,515 ✭✭✭✭


    Hey all. I am currently writing a program for a college project involving file transfer over FTP combined with variable key-length encryption. I just have a few design questions which I can't really figure out.

    Essentially, when processing the encryption key in the program, I want the user to be able to enter it in password style, e.g. a one-word password as opposed to a hex value (which would be more straight forward from a coding pov). This will also be combined with user selecting a key length (64, 128, 256, 512 or 1024-bit) to be used in the encryption process.

    I decided it would probably be better to do something with the combined password and key length, such as MD5 hashing, and just send the hash output to the encryption subroutines, as opposed to sending down two different values. However, most hashing functions only offer between 64 and 320-bit outputs. Is there anything (preferably part of the API) that could convert a string/byte array of no particular size to another string/byte array of a length defined during run-time?

    MD5 may be overkill, as simple string conversion is my no.1 priority as opposed to one-way encryption. Also, since the output would be representing an encryption key, no patterns should be allowed, so e.g. simply sticking the same 64-bit string together 4 times to make a 256-bit string is out of the question


Comments

  • Options
    #2
    sobriquet
    Closed Accounts Posts: 413 ✭✭sobriquet


    LordChessington wrote: »
    key length (64, 128, 256, 512 or 1024-bit) to be used in the encryption process.
    Well, if you're willing to forgo the 1024 length, SHA512 could work for you. Pretty sure I recall the Java standard library supporting it for message digests, it's been years though. This seems to be a match.
    LordChessington wrote: »
    Is there anything (preferably part of the API) that could convert a string/byte array of no particular size to another string/byte array of a length defined during run-time?
    [...]
    simply sticking the same 64-bit string together 4 times to make a 256-bit string is out of the question
    Well, like you say you can stretch a string by wrapping it n times, but that has obvious problems. You could add in some entropy source, whatever the Java stdlib equivalent of /dev/random is, but that won't be repeatable (we hope).

    Another option is to take chunks of the password or passphrase in a manner repeatable in your code and join those. That is, the md5sum of 'password' is 286755fad04869ca523320acce0dc6a4; the sum of 'assword' is ecb72db344a38c49eddeb96e105a5f83 and so on. This might suffice for your purposes.

    Still, it's not overall going to make your program more secure if the password is weak. An attacker needs to simply repeat the same process for a given password in a brute force attack, and could discover the process from your code.

    It's been ages since I looked up any crypto related stuff, but there's loads out there, and it's worth digging.


  • Options
    #3
    Mr. CooL ICE
    Registered Users Posts: 17,515 ✭✭✭✭Mr. CooL ICE


    Cheers sobr. I shall use a variation on your idea

    64-bit: MD5 sum cut in half
    128-bit: MD5 sum
    256-bit: SHA-256 sum
    512-bit: SHA-512 sum
    1024-bit: SHA-512 sum concatenated with the SHA-512 sum of the inverse of the password



    I may have a few more design questions which i shall just stick in here to keep things tidy :)


Advertisement