1

I wonder what the canonical approach to generating keys using KDFs is on Android. The JCA provides a SecretKeyFactory, outlined in this post, where the method would look like

public byte[] deriveKey(String password, byte[] salt, int keyLen) {
    SecretKeyFactory kf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
    KeySpec specs = new PBEKeySpec(password.toCharArray(), salt, 1024, keyLen);
    SecretKey key = kf.generateSecret(specs);
    return key.getEncoded();
}

It doesn't specify the number of rounds, however. Is this the canonical approach?

Community
  • 1
  • 1
John M.
  • 2,642
  • 7
  • 26
  • 55

1 Answers1

1

The number of rounds is clearly 1024 in the above method. It does however mean that the method uses too few rounds. Today anything in the order of 10K to 40K is usually chosen, the higher the better.

As password based key derivation function PBKDF2 is probably the best standardized one. It does however take configuration parameters. The hash function, the character encoding, the iteration count and the output size are not specified for PBKDF2. Although there is no canonical approach, the above function goes a long way, supporting ASCII (a subset of UTF-8) and SHA-1. bcrypt and scrypt are also pretty commonplace.

Note that there also exist key based KDFs (KBKDFs) but they are not often available in libraries. They should be chosen if the input entropy is large enough that the iteration count and possibly the hash are not needed, e.g. after key agreement.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263