Michael Hall wrote:
>Not using a keystore. You can have a strong crypto password. But to
>simplify it to a single password is less secure than a file password
>+ a unique password per alias. More all your eggs in one basket.
One good password is safer than two lame passwords, so I don't see how the
double-encryption of a KeyStore is necessarily better than
single-encryption. One steel-wire egg-basket vs. two papier-mache ones.
>Figure out the one password and you have the works. It could be a
>lame single password, easily susceptible to dictionary attack, then
>the strong crypto doesn't necessarily matter, etc.
The design of PBE systems is fairly well documented. The usual
recommendation is to use random salt with PBE, to foil dictionary attacks.
<http://www.rsasecurity.com/products/bsafe/overview/Article3-PBE.pdf>
See PKCS-5 (v1 and v2):
<ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-5.asc>
<ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-5v2/pkcs5v2-0.pdf>
Also see Appendix B of PKCS-12:
<ftp://ftp.rsa.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf>
-- GG
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden
This email sent to email@hidden
