1

I am writing an app in Eclipse for android. I tried using PBKDF2WithHmacSHA1 at first to hash my passwords, which worked well. But because of the weaknesses in SHA1, I decided to upgrade it to PBKDF2WithHmacSHA512. However, eclipse is now throwing a NoSuchAlgorithmException.

SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512") throws NoSuchAlgorithmException

I followed the instructions in the link above. However, the java file linked in the question above requires the sun.crypto library, which I don't have on Eclipse. I was also advised not to use Sun library, but to use java official library.

My question is, is there anyway of using PBKDF2WithHmacSHA512 on Eclipse? Or if possible, can someone teach me how to break it into parts of doing the PBKDF2 first and then HmacSHA512 the result?

Thank you.

Community
  • 1
  • 1
  • "security flaws in SHA1" <-- what security flaws? – fge Mar 14 '14 at 08:40
  • Sorry not security flaws, but weakness compare to SHA2. Either way, I've read countless recommendations to use SHA256 or SHA512 over SHA1. I will edit my question, thank you. –  Mar 14 '14 at 08:43
  • Well yes, SHA1 is weak compared to SHA256 and SHA512, but this is really relative... SHA1 is plenty strong for a lot of needs. MD5 is weak compared to SHA1 too. – fge Mar 14 '14 at 08:45
  • Anyway -- have you had a look at bouncycastle? – fge Mar 14 '14 at 08:48
  • I have actually. However I am currently deciding against it (but still debating) because I only use hashing once in my app with this particular algorithm, so I'm not sure if it's worth including a whole api into my app. It would be my last resort if possible. –  Mar 14 '14 at 08:52

1 Answers1

0

Be careful when using SecretKeyFactory in android, please check supported API version, you will be got exception if using the wrong version like bellow: https://developer.android.com/reference/javax/crypto/SecretKeyFactory

enter image description here

This exception is thrown when a particular cryptographic algorithm is requested but is not available in the environment. So based on the requirement above if you also want to use this algorithm on the low android version, I would recommend you use Bouncy Castle Library.

// Gradle

implementation 'org.bouncycastle:bcpkix-jdk15to18:1.70'
implementation 'org.bouncycastle:bcprov-jdk15to18:1.70'


// Use "PBKDF2WithHmacSHA512" with android O version and above

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
  val skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512")
  val pwSpec = PBEKeySpec(secret.toCharArray(), salt, iterations, keyLength)
  skf.generateSecret(pwSpec).encoded
}
Leo N
  • 126
  • 2
  • 5