CODEWITHSUNDEEP
javacryptographybouncycastlepbkdf2
leewin12
leewin12

Reputation: 1446

Reliable implementation of PBKDF2-HMAC-SHA256 for JAVA

UPDATED 2019: Bouncycastle now support PBKDF2-HMAC-SHA256 since bouncycastle 1.60

Is there any reliable implementation of PBKDF2-HMAC-SHA256 for JAVA?

I used to encrypt using bouncycastle but it does not provide PBKDF2WithHmacSHA256'.

I do not want to write crypto module by myself.

Could you recommend any alternative library or algorithm (if i can stick with bouncycastle)

(here are the algorithms that bouncycastle supports) http://www.bouncycastle.org/specifications.html

Upvotes: 27

Views: 42713

Answers (4)

jfk
jfk

Reputation: 5307

If you are having spring boot setup, it is available in crypto library

org.springframework.security.crypto.password.Pbkdf2PasswordEncoder

Pbkdf2PasswordEncoder pbkdf2PasswordEncoder = new Pbkdf2PasswordEncoder();
pbkdf2PasswordEncoder.encode(password)

Internally it uses PBEKeySpec with the advantage of that the parameters are autoconfigured. You can also set the parameters.

Also it uses random salt so that it is quire hard to break it. To check the match, use pbkdf2PasswordEncoder.matches(rawPassword, password);

Upvotes: 1

Guillaume Vincent
Guillaume Vincent

Reputation: 14811

Using spongycastle (java on android)

Replace spongycastle with bouncycastle if you are using bouncycastle on java directly

import org.spongycastle.crypto.generators.PKCS5S2ParametersGenerator;
import org.spongycastle.crypto.digests.SHA256Digest;
import org.spongycastle.crypto.params.KeyParameter;

public class Crypto {
    public String pbkdf2(String secret, String salt, int iterations, int keyLength) {
        PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(new SHA256Digest());
        byte[] secretData = secret.getBytes();
        byte[] saltData = salt.getBytes();
        gen.init(secretData, saltData, iterations);
        byte[] derivedKey = ((KeyParameter)gen.generateDerivedParameters(keyLength * 8)).getKey();    
        return toHex(derivedKey);
    }

    private static String toHex(byte[] bytes) {
        BigInteger bi = new BigInteger(1, bytes);
        return String.format("%0" + (bytes.length << 1) + "x", bi);
    }
}

Upvotes: 2

mjrduran
mjrduran

Reputation: 710

It is available in Java 8: 

public static byte[] getEncryptedPassword(
                                         String password,
                                         byte[] salt,
                                         int iterations,
                                         int derivedKeyLength
                                         ) throws NoSuchAlgorithmException, InvalidKeySpecException {
    KeySpec spec = new PBEKeySpec(
                                 password.toCharArray(),
                                 salt,
                                 iterations,
                                 derivedKeyLength * 8
                                 );

    SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");

    return f.generateSecret(spec).getEncoded();
}

Upvotes: 39

Pasi
Pasi

Reputation: 2664

Using BouncyCastle classes directly:

PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(new SHA256Digest());
gen.init("password".getBytes("UTF-8"), "salt".getBytes(), 4096);
byte[] dk = ((KeyParameter) gen.generateDerivedParameters(256)).getKey();

Upvotes: 40

Related Questions