6

In JCEKS key Store which algorithm used and what is the size of key .
i find something that its use Triple DES

but what is the key size..?

Thank's

Sumit Singh
  • 15,743
  • 6
  • 59
  • 89

2 Answers2

6

Currently, each PrivateKey and SecretKey entry in a JCEKS key store is encrypted with 3-key triple DES in CBC mode with PKCS #5 padding. This has an effective cryptographic strength of 112 bits, although the key is 168 bits plus 24 parity bits for a total of 192 bits.

This key (and the initialization vector) is derived from a password using a proprietary MD5-based algorithm. Normally, deriving the initialization vector from the key would defeat the purpose, but each entry also has a unique salt for key derivation. This means that the derived key and initialization vector are unique to to each entry.

You can study the use of the cipher and the cipher itself in the source code.

erickson
  • 265,237
  • 58
  • 395
  • 493
  • Do you know the algorithm used to derive the key and iv from the password? The code only shows comments which are ambiguous, "Concatenate password with each of the halves" -- is that password + half, or half + password? I can't recreate this algorithm, trying all possible combinations, based on the comments. – Jim Flood Feb 24 '16 at 18:08
  • I can't seem to @erickson on the above comment ^^^ – Jim Flood Feb 24 '16 at 18:08
  • @JimFlood [Here is the key derivation.](http://www.docjar.com/html/api/com/sun/crypto/provider/PBECipherCore.java.html#261) It's half + password; the salt is 8 bytes so half is 4 bytes. – erickson Feb 24 '16 at 23:07
  • 1 Thank you! If you post an answer to this question I'll gladly accept it: http://stackoverflow.com/questions/35610017/what-is-the-algorithm-for-the-jceks-pbe-used-to-encrypt-the-private-key – Jim Flood Feb 25 '16 at 00:47
  • @erickson its now 2020 and I am looking for the answer to this same question. DO you know if this answer is still valid or have things changed. Thanks in advance – abhaybhatia Jun 01 '20 at 17:47
  • @erickson I meant the original question of how password based encryption works in JCEKS KeyStore. I am using SunJCE provider that comes with Java 1.8 if that makes a difference to the answer at all – abhaybhatia Jun 01 '20 at 17:50
  • @abhaybhatia My answer attempts to explain how JCEKS key stores perform password based encryption. Can you clarify what points you need more information about? – erickson Jun 01 '20 at 17:58
  • @erickson Since you wrote this answer back in 2012, I was just wondering if this is still the way JCEKS performs password based encryption or if things have changed since then – abhaybhatia Jun 01 '20 at 18:27
  • 1
    TDES with random key is 112 bits strength, but with _password-derived_ key that is almost certainly the weaker link and likely no more than 60-80 bits strength, though I haven't seen a quantification even for standard PBKDF1 much less this variant. @abhaybhatia: yes this is **still the same** and there is no change, except now Oracle makes the official source repository accessible; for j8 see KeyProtector,PBEWithMD5andTripleDESCipher,PBES1Core in http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/c0dd958bb895/src/share/classes/com/sun/crypto/provider – dave_thompson_085 Jun 02 '20 at 05:18
1

JCEKS is another Proprietary keystore format, available from the "SunJCE" provider in the JCE (Java Cryptography Extension).

If you're not using the JCE, then you would use JKS keystore. If, however, you have installed the JCE and you are using JCE functionality, then your best bet is the JCEKS keystore. This keystore provides much stronger protection for stored private keys by using Triple DES encryption.

raoadnan
  • 293
  • 2
  • 10