0

I want to combine hashing and encryption for better security. So can I use a hash key generated from SHA-1 as a key in AES. For example, I have a password "50", I calculate SHA-1 hash for it (e1822db470e60d090affd0956d743cb0e7cdf113), and I want to feed those bytes as key for AES-128. What things I need to care while implementing this? Should I just truncate after 128 bits or do some kind of folding?

Here the code:

import java.security.MessageDigest; 
public class MessageDigestExample {
public static void main(String[] args)throws Exception{
String input = "This is a message";
MessageDigest hash = MessageDigest.getInstance("SHA1");
System.out.println("input : " + input);
hash.update(Utils.toByteArray(input));
System.out.println("digest : " + Utils.toHex(hash.digest()));
} }
nana
  • 79
  • 5
  • Depending on from where you got the string to hash this may have weak security. But if the source is OK, both truncation and folding (with XOR) would be fine. – Henry Nov 05 '18 at 10:39
  • Please refer this answer...it has the code to convert a password to key using PBKDF2 https://stackoverflow.com/a/53015144/1235935 – Saptarshi Basu Nov 22 '18 at 10:29

1 Answers1

0

While AES-128 provides sufficient security, using a key from SHA-1 probably isn't.

Aside from that:

Your Question is more a debate, than easy to answer. I would like to point you to this answer: https://stackoverflow.com/a/19863149/10353914

With the information provided, your question kinda gets obsolete - better use PBKDF2 where you can set the output hash size to 128 bits.

theMahaloRecords
  • 121
  • 8