Define a key to generate keys

Question

I'm making a project about security in Java. The Server receives a password and with this password is supposed to insert in MAC to verify the consistency of one specific file.

Mac m;
SecretKey sk;
sk = KeyGenerator.getInstance( "AES" ).keygenerator();/* what i don't want to use */
byte[]mac=null;
Mac m = Mac.getInstance("HmacSHA1");
m.init( password ); /* it's wrong */
m.update("work of security".getBytes());
mac = m.doFinal();

What I can understand is how to define a SecretKey to MAC init...

Answer 1

The two typical methods use to derive an AES key from a password are:

1. Using the raw bytes of the password. This option is not very strong (subject to trivial dictionary attacks) and relies on the password being exactly 128/192/256 bits.

2. Deriving the key using a function, such as PBKDF2.

You need to find out how the key is derived. The two options in code are:

Raw Bytes

SecretKey aesKey = new SecretKeySpec(password.getBytes(someCharset), "AES");

Derivation Function

Example PBKDF2:

SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
SecretKey aesKey = factory.generateSecret(new PBEKeySpec(password, salt,
      iterations, 256));

The salt value is a random byte array (i.e. perhaps eight bytes). The iterations can be increased to improve security at the expense of performance.