Is this PBKDF2 java implementation, a good implementation? Is up to date?
https://stackoverflow.com//questions/25056289
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Is this a good implementation of PBKDF2? https://crackstation.net/hashing-security.htm#javasourcecode
I'm not sure that is a good idea to store password like:
pass = PBKDF2_ITERATIONS + ":" + toHex(salt) + ":" + toHex(hash);
Is there some other implementation?
Solution
Cryptography based on secrecy will never work for any measurable duration of time.
When implementing a KDF like PBKDF#2 certain parameters are allowed to be known by the "public" as they are essential for proper usage. Being cryptic in your returned password isn't going to deter attackers for any measurable amounts of duration because you have to assume that they can reverse engineer your software with ease (lets face it, if they're going up against PBKDF#2, they probably can).
Not including the iteration count anywhere is like not including the salt or hash, at the same time, the value for the iteration count is as safe to transmit as the salt and hash. And working on the principal that attackers can reverse engineer your code, colon or no colon isn't some barrier in their way, they will find out eventually anyway.
Regarding if Java's PBKDF#2 is "good" I cannot give any solid facts on that. But considering its one of the most important cryptographic functions within the java crypto library I would assume it be one of the best implementations possible in java (not considering 3rd party libraries that make use of hardware-accelerated native code, thats cheating).
