I am using password based encryption. My initial thought was to use AES to encrypt the file which contains passwords. Turns out password based encryption does not support AES. It uses DES. AFAIK des is not secure. Is PBEWithMD5AndDES secure enough to thrust my data or should i look for another implementation?
A:
You should not be keeping the passwords in any form other than salted hash digests.
You should then use the operating system permission system to make it such that the hashed password file is only readable by the user which validates passwords.
Ben S
2009-08-16 17:06:08
It is a personal application to store passwords. A toy password manager.
Hamza Yerlikaya
2009-08-16 17:08:18
+1
A:
It appears from your comments that what you would like to do is encrypt a file which contains sensitive information, using a password-pased encryption scheme, with a password provided by the user at decrypt-time. The sensitive information in this case also happens to be passwords, but that isn't really relevant. (You should probably update the question to make this more clear).
You are doing the right thing - your problem is just that the SunJCE Java cryptography provider doesn't support AES for password-based encryption. You need to use an alternative provider which does: for example, you could use the Bouncy Castle provider with the algorithm "PBEWITHSHA256AND128BITAES-CBC-BC". (Despite the whimsical name, Bouncy Castle is well-respected).
As for "is DES secure enough for my data", well if the data you're protecting would be worth less than roughly $10,000 to an attacker, it's probably just secure enough - otherwise, no.
caf
2009-08-16 22:11:22
+1
A:
If you have Java 6 available, everything you need is available. Check out this question and look at the accepted answer for a code sample. Since you want to encrypt files, the iv that is generated should be prepended to the file you are writing the ciphertext to, so that it is available during the decryption.
jkf
2009-08-18 05:36:29