Reputation: 49339
Java SealedObject
I am encrypting an string with PBEWITHSHA256AND128BITAES-CBC-BC using SealedObject and write it to a file. After encrypting when i do a cat on the resulting file i i get read the salt used and the algorithm used in plain text even though the actual data is encrypted.
Doesn't that give crackers a head start? They know the salt and the algorithm with basically zero effort.
Upvotes: 0
Views: 1307
Answers (2)
Reputation: 75496
When you use PBE (Password-Based Encryption), salt and iteration are just to make cracking more expensive. You only need to generate key once but guessers will have to try millions.
If you require salt to be secret, it defeats the purpose of the password. Password is something easy to remember but less secure. If you really worried about security, don't use password. Use a secret key.
Hiding salt is practically a double key scheme. In most cases, it doesn't make your cipher much stronger.
Upvotes: 0
Reputation: 143314
The salt isn't secret. Its purpose is generally to prevent dictionary attacks.
Keeping the algorithm secret is security through obscurity, which is pretty much universally discouraged.
Upvotes: 1
Related Questions
- java read encrypted Objects
- How to print SealedObject encrypted data without file I/O?
- Is there an easy way to encrypt a java object?
- Using JSON Objects to store encrypted data
- storing Encrypted objects in J2me database
- trouble with my java encryption
- java basic encryption program
- Encryption code in Java
- Java encryption and Force.com apex encryption
- Encryption message in java