2

According to the following linked Java documentation, the relevant option for SecretKeyFactory algorithm (ignoring deprecated options involving MD5 or DES etc.) running in JRE 6 and JRE 7 is: PBKDF2WithHmacSHA1

With the advent of SHAttered, does Oracle have any plan to support later SHA versions for SecretKeyFactory? What are the alternatives?

otus
  • 32,132
  • 5
  • 70
  • 165
user37416
  • 121
  • 3
  • 1
    a) HMAC-SHA1 is still fine, b) password-hashing doesn't need to have collision resistance, it is trivial to construct a collision with PBKDF2 for all hashes. – SEJPM Mar 09 '17 at 10:43
  • https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory – SEJPM Mar 09 '17 at 12:42

1 Answers1

2

With the advent of SHAttered, does Oracle have any plan to support later SHA versions for SecretKeyFactory?

First, they don't need to. We are talking about PBKDF with HMAC-SHA1 here, which is a password-based key derivation function.You don't need collision resistance (which is the only property SHAttered broke) for password hashing, in fact it is trivial to find two passwords that hash to the same value with PBKDF2. What you really want from a password hash is one-way-ness / pre-image resistance (ie you can't recover the input from the output) other than using generic attacks.

Second, as of JRE8 you can use any pseudo-random function (PRF) the API knows instead of HMAC-SHA1 already and in fact HMAC-SHA256 is given as an example in the documentation.

What are the alternatives?

You don't use PBKDF2 from the standard library but rather use a binding to a more advanced password-based key derivation function such as Argon2, which has at least bindings for Java.

SEJPM
  • 45,967
  • 7
  • 99
  • 205
  • From your comment, I understand that PBKDF2WithHmacSHA1 is still safe for password hashing. By I intend to use it for communication as well. So I will check with Argon2 or other libraries. – user37416 Jul 03 '17 at 07:56