Password based cryptography (PBE)
Password based encryption (PBE) is a method of generating key based on password and using the key to encrypt. Encryption and decryption use the same key.
According to the user’s own password and salt generated password, let’s first look at the encryption process:
The encryption process can be divided into the following steps:
- Generate KEK key
- Using pseudo random number generator to generate salt
- The one-way hash function algorithm is used to generate the KEK key between salt and the user’s own password
- Generate session key and encrypt
- Using pseudo random number generator to generate session key CEK
- Use the KEK key generated in step 1 to encrypt the session key CEK to get the encrypted session key
- Save the salt generated in step 1 and the encrypted session key generated in step 2 for later decryption.
- Encrypted message
- Use the session key CEK generated in step 2 to encrypt the message and get the encrypted message.
The KEK generated in step 1 does not need to be saved, because it can be reconstructed according to salt.
Next, let’s look at the decryption process
- Rebuild KEK
- The saved salt and the password remembered by the user are used to reconstruct the KEK according to the one-way hash algorithm.
- Decrypt session key
- Decrypt the encrypted session key with the KEK generated in step 1 to get the decrypted session key
- Decrypt message
- The encrypted message is decrypted by using the decrypted session key to get the original message.
Why use salt?
Salt is mainly to defend against dictionary attacks, because the user’s own password is not random, and it is easy to be brutally cracked. After adding salt, it is much more difficult to crack by violence.
For more information, please visit http://www.flydean.com/pbe/