0

I want to use Salsa 20 in Java, so I downloaded Bouncy Castle, and... it makes no sense to me. I've got it working, but most of my choices were essentially random. But I can't see there anything leading me to the right path. The interface CipherParameters accepts nearly any nonsense and a key size of 257 bits works perfectly.

private static StreamCipher newCipher(byte[] password, byte[] salt) {
    int iterations = 50000; // really?
    PBEParametersGenerator generator =
        new PKCS5S2ParametersGenerator(); // really this one?
    generator.init(password, salt, iterations);
    Arrays.fill(password, (byte) 0);
    final CipherParameters cipherParameters =
        generator.generateDerivedParameters(256, 64); // would 257 be better? :D
    final StreamCipher result = new Salsa20Engine();
    result.init(true, cipherParameters);
}

As I wrote, it works, but is this the right way? Especially,

  • Is PKCS5S2 with 50000 iterations a good choice?
  • The password gets stored nowhere, so I'm assuming, the only thread would be an attacker having access to both the plaintext and the ciphertext, xoring them together, and using it for verification of their password guesses. Am I right?
  • Concerning the practical POV, is there a way how to verify I did nothing seriously wrong (like switching password and salt or using a inappropriate method)?
e-sushi
  • 17,891
  • 12
  • 83
  • 229
maaartinus
  • 575
  • 2
  • 12
  • Downvoter, feel free to add an answer. If the code is crap... well, then I'm right as I expected it. – maaartinus Oct 13 '14 at 15:59
  • 1
    The question is off topic for this site. – ddddavidee Oct 13 '14 at 17:08
  • @ddddavidee How is it different from e.g. this one or this one? I just didn't ask explicitly about what key derivation algorithm should I use, etc., but the question is there. And assuming it's not appropriate here, where should it be? Buddhism? Pets? Just don't say SO or CR, as the kind of knowledge I need is not there. – maaartinus Oct 13 '14 at 17:18
  • Maybe you should ask your question in the general way, without any bound to a particular library. (btw I'm not the downvoter) – ddddavidee Oct 13 '14 at 17:20
  • @maaartinus: The other questions are about general algorithms or "makes it sense to do this to strengthen passwords?". Your question is about implementation a specific library, something which is not welcome on Cryptography Stackexchange. Try to ask your question directly at a place about Bouncy Castle or at a Java forum. – Nova Oct 13 '14 at 17:29
  • @Nova OK, BC forum sounds good. Java forum is non-sense, as most people there know close to nothing about crypto and the few who just do don't come along. – maaartinus Oct 13 '14 at 17:39
  • @maaartinus: Yeah, maybe they know nothing about cryptography, but they know about Java and the proper way to implement a description from a documentation. It's still "the second choice", but it's still a choice if Bouncy Castle has nothing like a forum or such. – Nova Oct 13 '14 at 18:14
  • @Nova I know SO pretty well. I know, there are Java experts there, but I do know myself enough. But the documentation is lacking at best and the interface allows about every nonsense you can think of. BC has a mailing list, I'm giving it a try. – maaartinus Oct 13 '14 at 18:21
  • If you edit out the code and the questions about using the library, I think your bullet point questions would be on-topic as questions about using the algorithms. At least the 1. and 3., the 2. would need some explanation of what's going on (code doesn't really cut it). – otus Oct 13 '14 at 21:30
  • @maaartinus With BC I would also seriously consider looking in the source code. They don't have a very strong policy with regards to validating parameters (if any) but the code is usually rather down to earth. For BC, the mailing list is best but SO does have a few experts available as well (grmbls a bit). – Maarten Bodewes Oct 14 '14 at 13:40
  • @owlstead I've looked already into the sources and it looks fine (for a non-cryptographer). It was the lack of checking of anything what made me to ask as passing any nonsense worked, too. I'll probably edit out the code as suggested and turn it into a regular question for here. – maaartinus Oct 14 '14 at 14:01
  • 4
    I'm voting to close this question as off-topic because it is a programming problem, not a cryptography problem. – CodesInChaos Jun 29 '15 at 10:27

1 Answers1

1

My code above is a fascinating huge damping pile of... you know.

generator.init(password, salt, iterations);
Arrays.fill(password, (byte) 0);

BC fails to copy the content of the password array, so my security "improvement" of clearing the password after use, clears it before use and leads to a password of all zeros.

Btw., the mailing list was no better than this site. No answer.

maaartinus
  • 575
  • 2
  • 12
  • 1
    @e-sushi While your suggestion helps to avoid close-votes, it won't help to get a sensible answer. Posting it on SO (which I know pretty well) is a sort of waste of time. See also my comments below my question. – maaartinus Jul 02 '15 at 16:56
  • 1
    Honestly, looking at things again I´ve started to realize that too. Sorry for having bugged you with a comment which was (as it turns out) rather “superfluous” because you obviously seem to know your ways around the SE network already. Oh well, at least I was able to drop some benign votes while I was at it… – e-sushi Jul 02 '15 at 17:13