|
6.2 (c) 2002 IAIK, (c) 2003 - 2025 SIC |
|
public class PBKDF2PBMAC1ParameterSpec extends PBMAC1ParameterSpec
PBKDF2PBMAC1ParameterSpec
instead of the more generic PBMAC1ParameterSpecPBMAC1 uses a message authentication scheme like HMAC for calculating the mac value with a secret key derived from a password by using a key derivation function like PBKDF2. The message authentication scheme and key derivation function to be used have to be specified by PBMAC1 parameters (see RFC 8018):
PBMAC1-params ::= SEQUENCE {
keyDerivationFunc AlgorithmIdentifier {{PBMAC1-KDFs}},
messageAuthScheme AlgorithmIdentifier {{PBMAC1-MACs}} }
PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... }
Currently only PBKDF2 is supported as key derivation function.
After having created a Mac instance by calling a proper
getInstance factory method the Mac engine has to be
initialized by mac key and a PBMAC1ParameterSpecPBKDF2PBMAC1ParameterSpec specifying message authentication scheme and PBKDF2
parameters to be used. For deriving the mac key from a password at first a
PBEKey has to be created from the password
by using a PBMAC1 key factory:
char[] password = ...;
// create a KeySpec from our password
PBEKeySpec keySpec = new PBEKeySpec(password);
// use the "PKCS#5" or "PBE" SecretKeyFactory to convert the password
SecretKeyFactory kf = SecretKeyFactory.getInstance("PBMAC1", "IAIK");
// create an appropriate PbeKey
PBEKey pbeKey = (PBEKey)kf.generateSecret(keySpec);
Now use a PBKDF2PBMAC1ParameterSpec to specify message authentication scheme and PBKDF2 parameters, e.g.:
AlgorithmID messageAuthScheme = (AlgorithmID)AlgorithmID.hMAC_SHA256.clone(); AlgorithmID prf = (AlgorithmID)AlgorithmID.hMAC_SHA256.clone(); AlgorithmID pbkdf2 = (AlgorithmID)AlgorithmID.pbkf2.clone(); int iterationCount = 10000; byte[] salt = new byte[32]; PBKDF2ParameterSpec pbkdf2ParamSpec = new PBKDF2ParameterSpec(salt, iterationCount,keyLength); pbkdf2ParamSpec.setPrf(prf); PBMAC1ParameterSpec paramSpec = new PBMAC1ParameterSpec(pbkdf2, messageAuthScheme); paramSpec.setKDFParameterSpec(pbkdf2ParamSpec);Next create the PBMAC1 engine and initialize it with key and parameters:
Mac mac = Mac.getInstance("PBMAC1", "IAIK");
mac.init(pbeKey, paramSpec);
When using the same (HMAC) algorithm as message authentication scheme and pseudo random function for PBKDF2,
it might be more convenient to immediately initialize the Mac engine with PBKDF2 parameters:
mac.init(pbeKey, pbkdf2ParamSpec);Finally calculate the mac value by applying the data to be integrity protected by one (or more) calls to the
update methods. The mac computation is concluded by calling
the doFinal method. If the data can be processed without calling any
update method, doFinal can be called immediately
after initializing the Mac object:
byte[] data = ...; byte[] macValue = mac.doFinal(data);
PBMAC1Parameters,
PBMAC1ParameterSpec,
PBKDF2ParameterSpec,
PBMAC1| Constructor and Description |
|---|
PBKDF2PBMAC1ParameterSpec(PBKDF2ParameterSpec pbkdf2ParameterSpec,
AlgorithmID messageAuthScheme)
Creates a PBKDF2PBMAC1ParameterSpec for the given PBKDF2 parameters and message
authentication scheme.
|
getKDFParameterSpec, getKeyDerivationFunction, getMessageAuthScheme, setKDFParameterSpecpublic PBKDF2PBMAC1ParameterSpec(PBKDF2ParameterSpec pbkdf2ParameterSpec, AlgorithmID messageAuthScheme) throws java.security.InvalidAlgorithmParameterException
pbkdf2ParameterSpec - the parameters for the PBKDF2 key derivation functionmessageAuthScheme - the message authentication schemejava.security.InvalidAlgorithmParameterException