Java passphrase encryption

Question

I\'m trying to learn how to do passphrase-based encryption with Java. I\'m finding several examples online, but none (yet) on Stack Overflow. The examples are a little lig

Answer 1

You could use a hash algorithm (multiple times if necessary) to get from the passphrase to some raw data you can use as a key (+ an initialisation vector if the algorithm calls for one).

Then you can use that key with any symmetric algorithm - such as 3DES-CBC or AES-CBC (DES is considered obsolete these days).

Depending on the JCE you have available you may have different algorithms at your disposal, but AES is probably what you want. Choice of algorithm and exactly how to use it is somewhat a religious issue, however, and you would be ill advised to try and roll your own, or even to try and build some encryption scheme of your own using standard algorithms. You will almost certainly get it wrong if you have not studied it, and maybe even if you have.

If the security is that important to you that you are considering encryption, then you should consider also looking at a security engineering book like Applied Cryptography by Bruce Schneier or Security Engineering by Ross Anderson - there are a lot of implementation pitfalls. For example, using a passphrase as a key is not that great an idea in the first place, as it essentially reduces the size of your key.

You could also look at designs that other people have done, there are lots at the IETF, e.g.: http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha1-00