|

»

Password length with BouncyCastle AES

View: New views

3 Messages — Rating Filter: Alert me

	Password length with BouncyCastle AES by MakkaPakka () :: Rate this Message: \| View Threaded \| Show Only this Message I'm trying to use Jasypt with Bouncy Castle AES and want to clarify what size password I should/can use. I've looked at StandardPBEByteEncyptor and it does PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password.toCharArray()) so I would assume I can use any length password. However, anything greater than 7 chars doesn't work. Here's the tester code..... private static final void determinePasswordLength() { Security.addProvider(new BouncyCastleProvider()); final StringBuilder sb = new StringBuilder(); for (int i = 0; i < 1000; ++i) { sb.append(i); final StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor(); encryptor.setAlgorithm("PBEWITHSHA256AND128BITAES-CBC-BC"); encryptor.setPassword(sb.toString()); try { encryptor.encrypt("stuff"); System.out.println(sb + " works"); } catch (final EncryptionOperationNotPossibleException e) { // System.out.println(sb + " fails"); } } } So I'm guessing there's something I don't understand somewhere, is it to do with the use of SHA? I've tried SHA and SHA256 and I still get the same result. More importantly, how secure is this? I would generally expect to be able to use longer passwords so as to increase the entropy. Thanks for any help you can give.
	Re: Password length with BouncyCastle AES by subversion :: Rate this Message: \| View Threaded \| Show Only this Message I have same problem too. System was complaining that the java virtual machine does not have unlimited JCE policy but I do have installed the policy. Any clue? MakkaPakka wrote: I'm trying to use Jasypt with Bouncy Castle AES and want to clarify what size password I should/can use. I've looked at StandardPBEByteEncyptor and it does PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password.toCharArray()) so I would assume I can use any length password. However, anything greater than 7 chars doesn't work. Here's the tester code..... private static final void determinePasswordLength() { Security.addProvider(new BouncyCastleProvider()); final StringBuilder sb = new StringBuilder(); for (int i = 0; i < 1000; ++i) { sb.append(i); final StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor(); encryptor.setAlgorithm("PBEWITHSHA256AND128BITAES-CBC-BC"); encryptor.setPassword(sb.toString()); try { encryptor.encrypt("stuff"); System.out.println(sb + " works"); } catch (final EncryptionOperationNotPossibleException e) { // System.out.println(sb + " fails"); } } } So I'm guessing there's something I don't understand somewhere, is it to do with the use of SHA? I've tried SHA and SHA256 and I still get the same result. More importantly, how secure is this? I would generally expect to be able to use longer passwords so as to increase the entropy. Thanks for any help you can give.
	Re: Password length with BouncyCastle AES by Shervin Asgari-3 :: Rate this Message: \| View Threaded \| Show Only this Message +------------------------+ Jasypt Users List http://www.jasypt.org +------------------------+ subversion wrote: > +------------------------+ > Jasypt Users List > http://www.jasypt.org > +------------------------+ > > I have same problem too. System was complaining that the java virtual machine > does not have unlimited JCE policy but I do have installed the policy. > > Any clue? > > > I remember many years ago while I was using BouncyCastle that you needed to edit the policy file found in your $JAVA_HOME folder and set the policy to be "unlimited". I am sure you can find more information on exactly how you can do this by googling abit. I cannot remember from the top of my head. Shervin ------------------------------------------------------------------------------ _______________________________________________ jasypt-users mailing list jasypt-users@... https://lists.sourceforge.net/lists/listinfo/jasypt-users