Home.... | log in.... | Pub my question! | Sign-up....

Exposing Salt and Iteration count- PBE

I am doing a PBE using the JCE apis. There are two machines M1 and M2.

In M1 I do an encryption of a data string using a password,salt and iteration count. I pass the encrypted datastring as one of the properties in a property file to the M2 where I decrypt.

I just want to know if I can pass my salt and the iteration count also as a part of the properties file. I can find in some docs that say that the salt and the iteration count need not be kept secret.

Any help would be greatly appreciated.

Thanks in advance.

[558 byte] By [subhash00csa] at [2007-11-27 1:05:17]

«« MouseBehavior and Shpe3D
»» JLabel - same code - diffrent applications - ?

# 1

You don't do ENCRYPTION, you just do HASHING (a one-way process).

And yes, you needn't keep the salt and the iteration count private. You may store the salt together with the password and fix the iteration count at some value.

The purpose of salt is to prevent simultaneous attacks an all passwords (without salt: I guess password "123", compute its hash and look it up in the whole passwort table, is there any user with matching password? with salt, this doesn't work).

Maaartina at 2007-7-11 23:40:24 >

top of Java-index,Security,Cryptography...

# 2

> You don't do ENCRYPTION, you just do HASHING (a> one-way process).The OP does not say he is encrypting a password. He is encrypting some unspecified type of data using PBE.

sabre150a at 2007-7-11 23:40:24 >

# 3

I do an encryption and not a hashing. I need to decrypt the password at the other end.Thanks.

subhash00csa at 2007-7-11 23:40:24 >

# 4

Sorry, I didn't read it carefully. But the answer stays the same: The password is the only thing you must not reveal. Of cause, a secret salt would make it more secure as it would effectivelly become a part of the password.

But this seems to me to be only important if the password is too simple. If you could ensure a strong password, then everything's ok. If you can't (e.g., it gets chosen by some BFUs), then there's a problem. Keeping the salt secret could mitigate it, but not solve it, as you would need to transfer it somehow from one machine to the other.

Maaartina at 2007-7-11 23:40:24 >

# 5

> ... I just want to know if I can pass my salt and the iteration count also as a part of the properties file...

Yes, they don't need to be secret. The salt is designed to prevent precomputed dictionary attacks. It just needs to be unpredictable. The iteration count 'c' is designed to make password guessing more expensive by a factor of 'c'. It also makes symmetric key generation slower by a factor of 'c'. Therefore, choose as large a value of 'c' as you can tolerate.

These help to mitigate, but not eliminate, some of the weaknesses associated with passwords.

ghstarka at 2007-7-11 23:40:24 >

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

Exposing Salt and Iteration count- PBE

Security New Topic

Security Hot Topic

Security

All Classified