Can some point me in the right direction?
I'd like to use JCE/JCA to derive a new key from a master secret key, How can I achieve this?
Regards.
Deriving a secret from a master key using JCE/JCA
Asked Answered
The JCA provides standard password-based key derivation functions like PBKDF2 defined in PKCS#5 v2.0 and RFC 2898. This algorithm creates some random material from a master secret (a password) in order to generate a key suitable for a given cipher.
public byte[] deriveKey(String password, byte[] salt, int keyLen) {
SecretKeyFactory kf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
KeySpec specs = new PBEKeySpec(password.toCharArray(), salt, 1024, keyLen);
SecretKey key = kf.generateSecret(specs);
return key.getEncoded();
}
public byte[] encrypt(String password, byte[] plaintext) {
byte[] salt = new byte[64];
Random rnd = new Random();
rnd.nextByte(salt);
byte[] data = deriveKey(password, salt, 192);
SecretKey desKey = SecretKeyFactory.getInstance("DESede").generateSecret(new DESedeKeySpec(data));
Cipher cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, desKey);
return cipher.doFinal(plaintext);
}
Good sample. But keep in mind, that in this case (random salt) you need to remeber the salt for the decryption method. Because otherwise it will get hard to reverse it. One option woul be to return salt + '$' + cipher.doFinal(plaintext) (or use a fixed salt). –
Barbaraanne
If you're deriving a key from a master key, as opposed to deriving a key from a password, then you should use a key derivation function such as HKDF, not a password-based key derivation function such as PBKDF2. That's not insecure per se, but it's massively inefficient. Furthermore you should not use DES with CBC, that part is seriously obsolete (and already was in 2010) and insecure. –
Fever
© 2022 - 2024 — McMap. All rights reserved.