stackoom
  简体   繁体   中英

CCCalibratePBKDF alternative for Android / Java

 原文  2020-07-15 09:59:34       java/ android/ security/ pbkdf2

Question

I'm trying find to alternative to CCCalibratePBKDF method on Java/Android to find out how many rounds of PBKDF2 I can do within certain amount of time.

Do you know any?

I'm currently implementing own solution based on calculating speed with small number of rounds and guessing number based on that but it's pretty inconsistent - on iOS numbers are pretty constant

side note - I don't know if iOS method is calculating that based on real numbers or they just know they hardware so they know numbers upfront.

2 answers

solution1
 1  2020-07-15 11:03:01

I don't think measuring the local device is a good solution because attacks against PBKDF2 don't necessarily have to happen on the device itself. Hence the local device speed if totally irrelevant for the security.

Additionally on Android more background apps may be active when benchmarking the PBKDS2 algorithm, hence you can't simply calculate the time the PBKDF2 algorithm takes. And on device with BIG/LITTLE cores it may happen that the calculation only uses the weak LITTLE cores which also falsifies the result.

Therefore instead of measuring it I would provide an option where the user can set the number of iterations. For simpler usage I would use a setting called "security level (the bigger the better, but may cause a delay)". Set is as drop-down field with values from 1 to 10 and an exponential increasing iterations number - for example: 

  1 = 100.000 * 2^1 (200.000)
  2 = 100.000 * 2^2 (400.000)
 ..
 10 = 100.000 * 2^10 (102.400.000)

solution2
 0  2020-07-15 10:24:15

You are searching for a modern Key Derivation Function. Usually following algorithms are mentioned: PBKDF2 (the only one that is blessed by NIST), bcrypt (better than PBKDF2), scrypt (better than bcrypt), argon2 (high end).

In the java world people tend to use bcrypt, as it is the algorithm delivered with spring security (an implementation one can trust). It is also quite easy to use as it has only one dimension for the work factor (unlike scrypt).

When trying things out for choosing the best work factor please bear in mind, that the Android world is segmented heavily and that the power of the devices varies. What is good on your phone, may be really slow on some devices. I believe the iOS world to be more consistent.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PostMessage() alternative in Java(Android) GLUT alternative in Java & Android? Java/Android: StringUtils.countMatches alternative for Android? Android alternative to java.awt (BufferedImage and Raster) Alternative to using getMap() in SupportMapFragment Java Android Studio Alternative to repetitive lines of code (Android/Java) Alternative to java.awt.imageproducer for android JAVA BoofCV method's alternative for Android Alternative to using final variables in java and android? Android CountDownTimer alternative in Spring Boot (Java)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM