https://stackoverflow.com/questions/17773701
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPassword-based encryption takes a password, as the term implies. Passwords are run through a key derivation function to obtain the actual key. As a KDF is typically constructed from a hash function, the password may be of any length and contain any characters.
Passwords have to be run through a KDF because typical passwords don't contain anywhere near enough entropy to be considered secure against brute force attacks. A KDF substitutes this lack of "key space" depth with computationally expensive key derivation – hence the thousands of iterations. The disadvantage is the fact that initializing the cipher is also expensive.
This is a tradeoff well worth it if passwords are required instead of raw keys. However, in your case it would be a better idea to use the raw key. Unfortunately it seems that the Jasypt library you are using only supports PBE.
To contain at least 256 bits of entropy (as much as a raw random 256-bit key), the password has to contain at least 43 random (case-sensitive) alphanumeric characters. If you pick a password that long, you can probably lower the iteration count to 1.
It seems pretty odd to me that you have to think through all this even though you are using a library that you are supposed to be able to use "without the need of having deep knowledge on how cryptography works". Why does it expose all the ugly details if users aren't supposed to know what they are?
