I am working on a Java project where I have to ensure the confidentiality and integrity of the user password stored in the plaintext file.
To do this, I will write only the password hash in the file. In particular, I intend to write a password hash and random salt, as well as random salt, to avoid using rainbow and lookup tables. I also want to use key stretching with PBKDF2 to make hash computation computationally expensive. Finally, I would like to use the key hashing algorithm, HMAC, for the ultimate level of protection.
I am trying to implement my thoughts in Java code, and I found some examples of operations that I presented above:
private static byte[] pbkdf2(char[] password, byte[] salt, int iterations, int bytes)
throws NoSuchAlgorithmException, InvalidKeySpecException
{
PBEKeySpec spec = new PBEKeySpec(password, salt, iterations, bytes * 8);
SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
return skf.generateSecret(spec).getEncoded();
}
What I really can’t understand is to enter the secret key as the key used by the HMAC algorithm, since it does not represent an input to the function. I looked through the Java documentation, but I can not find a solution to my question.
At this point, I'm not sure if I understood correctly how part of the encryption mechanism part works, so I would accept any help on this topic.
source
share