在Java中使用PBKDF2进行密码验证 [英] Password Verification with PBKDF2 in Java
问题描述
我在Java中使用基于密码的文件加密;我使用AES作为底层加密算法,并使用 PBKDF2WithHmacSHA1 从salt和密码组合中导出一个密钥,使用以下代码(我从这个网站上的另一个慷ous的海报)。
I'm doing password based file encryption in Java; I'm using AES as the underlying encryption algorithm and PBKDF2WithHmacSHA1 to derive a key from a salt and password combination using the following code (which I got from another generous poster on this site).
SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
KeySpec ks = new PBEKeySpec(password,salt,1024,128);
SecretKey s = f.generateSecret(ks);
Key k = new SecretKeySpec(s.getEncoded(),"AES");
我共享盐,用户在每一端输入他们的密码,加密和解密工作正常: - )我的问题是,我想要能够验证用户输入的密码是正确的,在开始之前(可能长的)解密过程。我知道PBKD规范包括一个可选的2字节验证值,但我不知道如何使用上述方法生成此值。
I share the salt, the user enters their password at each end and encryption and decryption work fine :-) My problem is that i would like to be able to verify that the password the user enters is correct before embarking on the (potentially long) decryption process. I know the PBKD spec includes an optional 2 byte verification value but I'm not sure how to generate this value using the above approach. Does Java provide support for this or if not what would be a secure alternative?
感谢您的时间。
推荐答案
嘿,感谢疯狂的scot和克里斯在那里帮助。在做了一些挖掘之后,我决定使用 Gladmans博士文件加密页面中描述的方法用于进行密码验证和消息验证。我相信这种方法,基于PBKDF2和MAC,使得密码的验证价值足够昂贵,使其安全。再次感谢,我希望这个解决方案可以帮助别人。
Hey, thanks to crazy scot and Chris for there help. After doing some digging i decided to use the methods described on Dr Gladmans file encryption page for doing both password verification and message authentication. I believe this method, based on the PBKDF2 and a MAC, makes deriving the verfication value for m the password sufficiently expensive as to make it secure. Thanks again, and i hope this solution aids others.
这篇关于在Java中使用PBKDF2进行密码验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
