Re: [android-developers] Anyone got an example using CipherInputStream and PBE to work ?

On Mon, Oct 3, 2011 at 4:40 AM, Kostya Vasilyev <kmansoft@gmail.com> wrote:
> I wonder if you're allowed to reuse the same key (declared as "final")
> between encoding and decoding.
> Other than that, and Nikolay's advice, here is what I do:
>
> private static final byte[] SALT = { ...  };

Using a static blob as the salt, kind of defeats the purpose (to make harder to
pre-calculate keys and to ensure that the same password doesn't produce the
same key every time it's used). Ideally, you should use a separate, randomly
generated salt for each message you encrypt. The salt itself is not a secret,
so it's OK to append it to the encrypted message as is.

> private static final int COUNT = 10;

That count is a bit low. The original PKCS#5 recommends 1000, if that it too
slow on Android you might want to adjust it, but 10 is certainly too low.

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en