How to encrypt and salt the password using BouncyCastle API in Java?

Question

I am fairly new to cryptography and I am using BouncyCasetle API to encrypt password and store it in the database. For encryption I am using SHA-1 algorithm and I want to salt the password to prevent it agains dictionary attacks.

Any help would be appreciated.

Answer 1

I'd recommend use of a Password-Based Key Derivation Function instead of a basic hash function for this. Something like this:

// tuning parameters

// these sizes are relatively arbitrary
int seedBytes = 20;
int hashBytes = 20;

// increase iterations as high as your performance can tolerate
// since this increases computational cost of password guessing
// which should help security
int iterations = 1000;

// to save a new password:

SecureRandom rng = new SecureRandom();
byte[] salt = rng.generateSeed(seedBytes);

Pkcs5S2ParametersGenerator kdf = new Pkcs5S2ParametersGenerator();
kdf.init(passwordToSave.getBytes("UTF-8"), salt, iterations);

byte[] hash =
    ((KeyParameter) kdf.generateDerivedMacParameters(8*hashBytes)).getKey();

// now save salt and hash

// to check a password, given the known previous salt and hash:

kdf = new Pkcs5S2ParametersGenerator();
kdf.init(passwordToCheck.getBytes("UTF-8"), salt, iterations);

byte[] hashToCheck =
    ((KeyParameter) kdf.generateDerivedMacParameters(8*hashBytes)).getKey();

// if the bytes of hashToCheck don't match the bytes of hash
// that means the password is invalid

Answer 2

Well what you could do is get a:

StringBuilder salt=new StringBuilder();
salt.append("MySuperSecretSalt");
MessageDigest md = MessageDigest.getInstance("SHA-256");
String text = "This is text to hash";
salt.append(text);    
md.update(salt.toString().getBytes("UTF-8")); // Change this to "UTF-16" if needed
byte[] digest = md.digest();

Your, digest now contains the hash of your string+salt so it help with protecting against rainbow tables.