Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Key-Derivation #11

Open
karheinz opened this issue Apr 5, 2015 · 6 comments
Open

Key-Derivation #11

karheinz opened this issue Apr 5, 2015 · 6 comments

Comments

@karheinz
Copy link

karheinz commented Apr 5, 2015

Hi!

Is it correct, that the encryption-key is derived from the password by this method (CipherUtils)?

public static String getKey(String password) throws NoSuchAlgorithmException {
    for (int i = 0; i < 1000; ++i) {
        password = SHA256(password);
    }
   return password.substring(0, 16);
}

This is bad! You should use at least PBKDF2 with a high number of iterations.
@ehsun7b
Copy link
Owner

ehsun7b commented Apr 6, 2015

Hi, no it is not correct.
By the way are us asking about MyPasswords 2.x or MyPasswords 3.0?

Ehsun Behravesh
http://www.ehsunbehravesh.com
http://ehsun7b.blogspot.com
http://www.google.com/profiles/ehsun7b

On Mon, Apr 6, 2015 at 4:33 AM, karheinz notifications@github.com wrote:

Hi!

Is it correct, that the encryption-key is derived from the password by
this method (CipherUtils)?

public static String getKey(String password) throws NoSuchAlgorithmException {
for (int i = 0; i < 1000; ++i) {
password = SHA256(password);
}
return password.substring(0, 16);
}

This is bad! You should use at least PBKDF2 with a high number of
iterations.


Reply to this email directly or view it on GitHub
#11.

@ehsun7b
Copy link
Owner

ehsun7b commented Apr 6, 2015

MyPasswords 3.0 key derivation is not done yet. It will be implemented in a native code. In case you are asking about MyPasswords 2.0 which is not hosted here, it is not the case for key derivation.

@ehsun7b ehsun7b closed this as completed Apr 6, 2015
@karheinz
Copy link
Author

karheinz commented Apr 7, 2015

What is meant with native code?

I took a look at MyPasswords 2.* and its worse there. The AES-key here is build out of the first 8 byte of the password:

AES-key = 16 byte = (first 8 byte of the password) | (first 8 byte of the password)

@ehsun7b ehsun7b reopened this Apr 8, 2015
@ehsun7b
Copy link
Owner

ehsun7b commented Apr 8, 2015

native code means in a native dynamic library, so it can not be decompiled. a .dll/.so/dylib file.

Yes in MyPasswords 2.x it was like that, but it will not be the same in MyPasswords 3.0

@ehsun7b ehsun7b closed this as completed Apr 8, 2015
@karheinz
Copy link
Author

karheinz commented Apr 8, 2015

Keeping the algorithm secret does not lead to more security. "The enemy knows the system."

http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

Btw, memory can be disassambled (e. g. with GDB). Somebody will do this, for sure.

@ehsun7b
Copy link
Owner

ehsun7b commented Apr 8, 2015

you are right, but as I said earlier, MyPasswords 3.0 is not ready and key derivation part is a prototype yet, it is not implemented yet. Please report bugs after the release ;) MyPasswords 3.0 is not released yet.
Thanks for your time

@ehsun7b ehsun7b reopened this Apr 8, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@karheinz @ehsun7b