Better way to create AES keys than seeding SecureRandom

by

No, the whole idea that you should use a SecureRandom for key derivation from static data is rather bad:

  1. SecureRandom‘s main function is to generate random values, it should not be used as a generator for a key stream;
  2. SecureRandom, when instantiated with "SHA1PRNG" does not implement a well defined algorithm, and the algorithm has actually be known to change, even from one Sun JDK to another;
  3. The Oracle provided implementation of "SHA1PRNG" uses the initial seed as only seed, others may just add the seed to the random pool.

Using "SHA1PRNG" as key derivation function has been known to produce issues on several versions of Android, and may fail on any other Java RE.

So what should you do instead?

  1. Use new SecureRandom() or even better, KeyGenerator to generate a truly random key, without seeding the random number generator if you need a brand new random key;
  2. Directly provide a byte[] of a known key to SecretKeySpec, or use a hexadecimal decoder to decode it from hexadecimals (note that String instances are hard to delete from memory, so only do this if there is no other way);
  3. Use PBKDF2 if you want to create a key from a password (use a higher iteration count than the one provided in the link though);
  4. Use a true Key Based Key Derivation Mechanism if you want to create multiple keys from one key seed, e.g. use HKDF (see below).

Option 4 would be preferred if the seed was generated by e.g. a key agreement algorithm such as Diffie-Hellman or ECDH.

Note that for option 3, PBKDF2, you would be wise to keep to ASCII passwords only. This is due to the fact that the PBKDF2 implementation by Oracle does not use UTF-8 encoding.

As for option 4, I’ve helped with adding all good KBKDF’s to the Bouncy Castle libraries so there isn’t a need to implement a KBKDF yourself if you can add Bouncy Castle to your classpath and/or list of installed security providers. Probably the best KBKDF at the moment is HKDF. If you cannot add Bouncy Castle to your classpath then you might want to use the leftmost bytes of SHA-256 output over the derivation data as a “poor man’s” KDF.

More Related Contents:

  1. Java 256-bit AES Password-Based Encryption
  2. Encrypt Password in Configuration Files? [closed]
  3. Given final block not properly padded
  4. Image encryption/decryption using AES256 symmetric block ciphers [closed]
  5. Java equivalent of an OpenSSL AES CBC encryption
  6. Java, How to implement a Shift Cipher (Caesar Cipher)
  7. Handling Java crypto exceptions
  8. How to encrypt or decrypt with Rijndael and a block-size of 256 bits?
  9. Using SHA1 and RSA with java.security.Signature vs. MessageDigest and Cipher
  10. How to decrypt an encrypted AES-256 string from CryptoJS using Java? [closed]
  11. javax.crypto.BadPaddingException
  12. How can I list the available Cipher algorithms?
  13. CryptoJS AES encryption and Java AES decryption
  14. Java equivalent of C++ encryption [duplicate]
  15. How are the IV and authentication tag handled for “AES/GCM/NoPadding”?
  16. Breaking down RSA/ECB/OAEPWithSHA-256AndMGF1Padding
  17. Java equivalent to C++ arrow [closed]
  18. java vs C++ in pre and post increment
  19. How to convert a letter to an another letter in Java [duplicate]
  20. How to call Java functions from C++?
  21. Converting a Java Keystore into PEM Format
  22. JSchException: Algorithm negotiation fail
  23. Selenium WebDriver: Wait for complex page with JavaScript to load
  24. Registering multiple keystores in JVM [duplicate]
  25. Tool to convert java to c# code [closed]
  26. How to compile dynamic library for a JNI application on linux?
  27. Too much data for RSA block fail. What is PKCS#7?
  28. Java openssl encryption / decryption key generation [duplicate]
  29. Algorithm – How to delete duplicate elements in a list efficiently?
  30. PKCS12 Java Keystore from CA and User certificate in java

Leave a Comment