How do I create a key pair in Java based on a password?
I want to allow Alice to create a public / private key pair so that Bob can send her confidential messages However, I hope Alice can check her messages from anywhere, and it's painful for her to carry a memory stick containing her private key Does Alice have a way to create a public / private key pair based on the password she remembers? In this way, she can generate the private key (and public key) at any time
A short version of this question is: where can I find the equivalent of crypto JS Java
In addition, here's the same question is on stack overflow, but for JavaScript
Editor: This is my first attempt at a solution:
SecureRandom saltRand = new SecureRandom(new byte[] { 1,2,3,4 }); byte[] salt = new byte[16]; saltRand.nextBytes(salt); int keyLength = 3248; SecretKeyFactory factory = SecretKeyFactory .getInstance("PBKDF2WithHmacSHA1"); KeySpec spec = new PBEKeySpec(password.tocharArray(),salt,8192,keyLength); SecretKey key = factory.generateSecret(spec); SecureRandom keyGenRand = SecureRandom.getInstance("SHA1PRNG"); keyGenRand.setSeed(key.getEncoded()); KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA"); gen.initialize(keyLength,keyGenRand); java.security.KeyPair p = gen.generateKeyPair();
Solution
When talking about RSA: you can use the results of pbkdf2 to seed the pseudo-random number generator, which in turn can be used to generate key pairs Note that using securerandom will not work because it will add seeds to the pool instead of completely reinitializing RNG RSA needs PRNG to find random primes
If you can use elliptic curve cryptography, you will be better You can select standard NIST or brainpool curves on f (P) You can then use the 32 - byte output of pbkdf2 as the private key and calculate the public key ECC only needs a random private key, because the output of pbkdf2 should be indistinguishable from random Not only do you need additional PRNG, you can also save yourself time calculating RSA key pairs – which can be very important
Please note that nothing can prevent violent attacks on the content encrypted with the calculation key, so you'd better require a password of 16 characters or more, including non dictionary words, numbers and symbols Anything is unlikely to fail, especially if the user is not aware of possible attacks Please note that if you do not have storage space, you cannot use random salt If you can't use random salt, you can't defend against the rainbow table (for your specific application, you can certainly use application specific salt) In addition, people with the same password will generate the same private key
Of course, the default - for example, in PGP - is to store the private key encrypted using password - based encryption However, this requires storage The advantage of this method is that you can have a completely random key, which means that if you don't access the key store, you can't attack the ciphertext violently It adds an important extra layer