Tuesday, May 10, 2011

Re: [android-developers] Re: hash functions

No -- I've always been fortunate enough to have Bouncy Castle or similar packages available, and haven't had to implement it myself. I *have* implemented similar things in the distant past before we knew quite as much about the problems and solutions. I.e. with a salt, with an insecure hash function, without iteration. We're talking pre-RSA here. (I have an original copy of the original RSA paper, which I obtained prior to the NSA's attempt at getting it banned!).

My goal wasn't to explain how to code it, but rather how it works, so you understand, for example, the role of the salt (so you use a SecureRandom to generate it, not some constant!) and the role of the iteration count, so you know how to set that to something reasonable -- i.e., not "1" like on the Blackberry.

I highly recommend not coding it yourself, unless you're undertaking a serious study of cryptography. Otherwise, it's a waste of time and potential source of bugs, even though it's not all that complicated.

On Tuesday, May 10, 2011 9:00:58 PM UTC-7, Nikolay Elenkov wrote:
On Wed, May 11, 2011 at 7:34 AM, Bob Kerns <r...@acm.org> wrote:

> More precisely, you iterate this:
> hash = f(hash)
> where f is some function that is expensive, and does not collapse the space
> of possible values into some smaller set. One way to accomplish this would
> be:
> f(hash) = hash <xor> sha1(hash).
> I went with SHA1 above, because I want to tie this to PBKDF2, which Nikolay
> referenced.

Do you mean you implemented this yourself? Not that it's too hard to do, but
Android has the Bouncy Castle JCE provider, so all you have to do is usually:

SecretKeyFactory factory = SecretKeyFactory.getInstance(KEYGEN_ALGORITHM)
KeySpec keySpec = new PBEKeySpec(password, salt, numInterations,  keyLen);
SecretKey key = factory.generateSecret(keySpec);

where KEYGEN_ALGORITHM is a supported PBE algorithm.

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en

posted by twitter @ 9:20 PM   0 Comments

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home


Real Estate