tags:

views:

124

answers:

2
+1  Q: 

why should aes key be generated randomly ?

when you want to encrypt something dont you want the key to decrypt to be decided by you and not generator by some random number generator ?

i see this code in stackoverflow post. but i dont want the key to be generated randomly i want to the user to be asked to enter the key and on that bases the encryption should happen..

any suggestions how should i modify the code ?

SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
KeySpec spec = new PBEKeySpec(password, salt, 1024, 256);
SecretKey tmp = factory.generateSecret(spec);
SecretKey secret = new SecretKeySpec(tmp.getEncoded(), "AES");
A: 

The whole idea of encryption is that noone except the needed parties can ever deduce the key since the key is the only secret.

If you choose keys yourself you're likely to follow some habitual pattern, so if you compomise one key you expose that pattern and the attacker can use that information to simplify finding other keys you use. Using a good random number generator eliminates this possibility and makes the encryption much more efficient.

sharptooth  2009-11-19 06:59:06
Also through random generation the key typically is picked in the full "key space" whereby with user defined keys, these are typically limited to letters and numbers.
mjv  2009-11-19 07:06:06
Well, you could compensate for that by asking a user for more letters and numbers and hashing the input to be of necessary width.
sharptooth  2009-11-19 07:08:14
Yes, that's exactly what the OP's code, using PBKDF2, does.
erickson  2009-11-19 07:24:53
A: 

The code you show doesn't generate a random key. The generated key is a function of the password, and will be exactly the same every time a given password is used.

In this case, the user should be asked to enter the password. That password is used as the seed for an algorithm that deterministically produces a string of bytes which can be used as a cryptographic key.

There is something that should be chosen randomly for each operation: the initialization vector used for ciphers in CBC mode. This produces different ciphertexts even when the same key is used to encrypt the same plaintext.

erickson  2009-11-19 07:17:58

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java