Friday, July 6, 2007

How Java Cryptography Extension works - Password Based encryption Concept

In my last post I discussed about the basic API's to be used for encrypting and decrypting the data. For encrypting/decrypting data you need to have a key, in that case key needs to be stored in the system. In the password based encryption you provide the key at the encryption/decryption time manually because you remeber the key. The more complicated the password is more powerful the encryption will be. It can not be as strong against the attack as the one we generate using the API's but it can be good for encrypting data which you are going to decrypt at other end since you know the password.

Note: Password is first hashed to be used as a key not directly used as a plain text.

Ex: Key generated by API for 3DES encryption will have 2^168 many possibilities. While a normal person password length is 6-8 characters which comes to 26^6 or 26^8. I have taken 26 because there are 26 characters in the english alphabet, if you add numbers and special character it will be little higher but still no where close to the key generated by API.

To overcome the problem I mentioned above there are options to increase the security of the password based key

1) Salt: This is the extra random bits added to the password for generating key to encrypt/decrypt the data. These random bits are appended (base64 encoded) with the encrypted data in plain text so it can be used again for decryption. Each time data is encrypted new Salt is added for flavour.

2) Iteration Count
The iteration count is an attempt to increase the time that an attacker will have to spend to test possible passwords. If we have an iteration count of a thousand, we need to hash the password a thousand times, which is a thousand times more computationally expensive than doing it just once. So now our attacker will have to spend 1000 times more computational resources to crack our password-based encryption.

BASE64 Encoding

Binary data is typically stored in bytes of 8-bits. Standard ASCII is only 7 bits though, so if we want to display binary as ASCII, we're going to lose at least one bit per byte. BASE64 encoding is a way of overcoming this problem. 8-bit bytes are converted to 6-bit chunks and then into characters. Six bits are used so that some control characters can be used indicating when the data ends. The encoded characters can then be displayed on the screen and converted back into binary with no difficulty. Of course, since we're moving from an 8-bit chunk to a 6-bit chunk, we're going to have more chunks - 3 bytes becomes 4 characters and vice-versa.

Encryption using PBE

Decryption using PBE

I will give the example of PBE in another post.

I took part of the information in this post from

No comments: