I'm working on a Java authentication subsystem that specs the storage of passwords in the DB as PBKDF2
-generated hashes, and I'm now trying to decide whether I should use SHA1
or SHA512
as PRF. I went through the specs of both but they are very mathematically intensive for me to follow. Can somebody with better crypto-understanding explain how PBKDF2WithHmacSHA512
differs from PBKDF2WithHmacSHA1
?
Here's what I'm trying to do:
private static final int HASH_BYTE_SIZE = 64 * 8; // 512 bits
private static final int PBKDF2_ITERATIONS = 1000;
// generate random salt
SecureRandom random = new SecureRandom();
byte salt[] = new byte[SALT_BYTE_SIZE]; // use salt size at least as long as hash
random.nextBytes(salt);
// generate Hash
PBEKeySpec spec = new PBEKeySpec(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE);
SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); // we would like this to be "PBKDF2WithHmacSHA512" instead? What Provider implements it?
byte[] hash = skf.generateSecret(spec).getEncoded();
// convert hash and salt to hex and store in DB as CHAR(64)...
Let us breakdown the word piece by piece:
PBKDF2--WithHmac--SHA512
Let's go over it part by part
Stands for Password-based-Key-Derivative-Function, a successor of PBKDF1 and is used to implement a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations.
HMAC
Stands for Keyed-Hash Message Authentication Code (HMAC) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. Any cryptographic hash function,may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly.
SHA512
Well, you know about it.. :P
Now, coming back to your question, the line of code:
SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
specifies the keyFactory to use the algorithm PDBKDF2WithHmacSHA1
. When you would do something like:
SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
you tell the factory to use algorithm PBDKF2WithHmacSHA512
.
Essentialy the main difference between PBKDF2WithHmacSHA1
and PBKDF2WithHmacSHA512
is that:
PBKDF2WithHmacSHA1
will produce a hash length of 160 bits.PBKDF2WithHmacSHA512
will produce a hash length of 512 bits.Hence the latter is more secure. But there are arguments on both sides as to which is sufficient for encryption. No debate. Just saying.
Some additional information about the two algorithms:
HMACSHA1
HMACSHA1 is a type of keyed hash algorithm that is constructed from the SHA1 hash function and used as an HMAC, or hash-based message authentication code. The HMAC process mixes a secret key with the message data, hashes the result with the hash function, mixes that hash value with the secret key again, and then applies the hash function a second time. The output hash is 160 bits in length.
HMACSHA512
HMACSHA512 is a type of keyed hash algorithm that is constructed from the SHA-512 hash function and used as a Hash-based Message Authentication Code (HMAC). The HMAC process mixes a secret key with the message data and hashes the result. The hash value is mixed with the secret key again, and then hashed a second time. The output hash is 512 bits in length.
The main advantage is that HmacWith512
is more secure than HmacWith256
. For e.g.
HMAC_SHA1("key","The quick brown fox jumps over the lazy dog") = 0xde7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9
HMAC_SHA512("key","The quick brown fox jumps over the lazy dog") = 0xb42af09057bac1e2d41708e48a902e09b5ff7f12ab428a4fe86653c73dd248fb82f948a549f7b791a5b41915ee4d1ec3935357e4e2317250d0372afa2ebeeb3a
The difference is pretty huge (as seen). Hope it helps. :)
EDIT: As OP mentions
PBEKeySpec(char[] password, byte[] salt, int iterationCount, int keyLength)
The parameter keyLength
is used to indicate the preference on key length
for variable-key-size ciphers. The actual key size depends on each provider's implementation. Hence say, doing something like
PBEKeySpec(password, salt, int 100, 512)
doesn't mean you will be using SHA1 to generate a keyLength of 512. It simply means that. SHA1 supports upto a maximum of 160 bits. You cannot exceed that.
As for your second question, have a look at the HMAC-SHA1. There are many statements that say algorithms like SHA256
is pretty good if you a long hash.
Also, as per the NSA :
The NSA specifies that "Elliptic Curve Public Key Cryptography using the 256-bit prime modulus elliptic curve as specified in FIPS-186-2 and SHA-256 are appropriate for protecting classified information up to the SECRET level. Use of the 384-bit prime modulus elliptic curve and SHA-384 are necessary for the protection of TOP SECRET information.
I think using a HMAC function in conjunction SHA512 is quite secure.