From: Josh Lubliner <josh@privada.net>
To: java-security@java.sun.com
Subject: JCE1.2 -- Blowfish has no KeyFactory?
Date: Wed, 7 Apr 1999 15:25:11 -0700
Message-Id: <99040715533503.00358@localhost.localdomain>
I've installed JCE 1.2, and I am using JDK 1.2 (java 2). I'd like to use the
Blowfish algorithm available in the SunJCE provider. However, Blowfish has no
KeyFactory. In my (admittedly limited) understanding of the subject, this
means that there are only two ways you can generate a Blowfish key:
1. You can use BlowfishKeyGenerator.generateKey(), which will generate a new
(random) key every time.
2. You can use object serialization to stream an existing key to a file, then
stream it back in the create a new key. Of course, the keys are, in general,
completely unsecured while they are sitting in a file on your hard drive.
My problem is that I'd like to be able to generate a key from a password, so
the user gets the same key every time, as long as they enter the correct
password. This way I can store (for example) their personal information in a
local file, encrypted with this password-generated key. Then there is no way
for someone to read this information without knowing that password.
This seems to be possible using DES keys, with the following code:
String password = "mypassword";
SecretKeyFactory kf = SecretKeyFactory.getInstance("DES");
KeySpec spec = new DESKeySpec(password.getBytes(), 0);
SecretKey sk = kf.generateSecret(spec);
However, since there is no BlowfishKeyFactory, this can't be done for Blowfish.
Is there any particular, cryptographic reason why there is no
BlowfishKeyFactory? Or is there some other way to do what I am trying to do?
Thanks for your help
--Josh