tags:

views:

172

answers:

2
Q: 

Java SealedObject

I am encrypting an string with PBEWITHSHA256AND128BITAES-CBC-BC using SealedObject and write it to a file. After encrypting when i do a cat on the resulting file i i get read the salt used and the algorithm used in plain text even though the actual data is encrypted.

Doesn't that give crackers a head start? They know the salt and the algorithm with basically zero effort.

+1  A: 

The salt isn't secret. Its purpose is generally to prevent dictionary attacks.

Keeping the algorithm secret is security through obscurity, which is pretty much universally discouraged.

Laurence Gonsalves  2009-10-16 09:35:15
security through obscurity is when you are using a weak algorithm and expect it to be safe if it not known this is not exactly the case here. also AFAIK when salt is known it will only prevent rainbow table attacks you can still try to guess it.And during decryption i have to supply salt my self so it has no place in the SealedObject.
Hamza Yerlikaya  2009-10-16 12:01:47
A: 

When you use PBE (Password-Based Encryption), salt and iteration are just to make cracking more expensive. You only need to generate key once but guessers will have to try millions.

If you require salt to be secret, it defeats the purpose of the password. Password is something easy to remember but less secure. If you really worried about security, don't use password. Use a secret key.

Hiding salt is practically a double key scheme. In most cases, it doesn't make your cipher much stronger.

ZZ Coder  2009-10-16 14:28:11

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java