3

I am trying to use libsodium for symmetric encryption on Android. In order to get libsodium on android, I am using this binding library.

I am struggling to find the proper way to derive a key from a (low entropy/user chosen) password. There is plenty of reference online to the PBKDF2 and SCrypt algorithms. SCrypt in particular looks like it is included as part of libsodium, but I cannot figure how to use it through the binding above. Should I add a separate library just for the key derivation function? This would work but I would prefer not to add another lib just for that if not necessary. Should I be using java's SecretKeyFactory?

If anyone has implemented symmetric encryption on android before with libsodium and could provide an example or guidance, it would be appreciated. Thanks.

Stephen
  • 4,041
  • 22
  • 39
  • That binding library is not especially well-documented, though its alternatives are not much better. – CommonsWare Mar 12 '17 at 20:29
  • @CommonsWare I would have to agree on both points. – Stephen Mar 12 '17 at 20:34
  • PBKDF2 (Password Based Key Derivation Function 2) is recommended by NIST. It is also well supported across platforms. – zaph Mar 13 '17 at 00:16
  • In general using a native library is a good idea, as the key derivation is pretty fast and allows e.g. a high number of rounds. Especially in comparison to PBKDF2-HMAC-SHA1 or something similar supported by Android on Java which is very very slow. – Robert Mar 13 '17 at 15:47
  • @Robert The number of rounds nor the speed of the hash function is important, it is the total time that is important. Generally speaking 100ms is considered sufficient time for a key derivation. – zaph Mar 14 '17 at 02:22
  • @zaph: If you are using a slow algorithm like PBKDF2-HMAC-SHA1 100msec will result in about 1000 rounds on a non-high-end Android device. Breaking that with a GPU is not that hard (depending on the password length and complexity). Using a faster algorithm (e.g. one with hardware acceleration) that takes also 100msec provides a much higher security. That is why I suggested to use a fast algorithm. – Robert Mar 14 '17 at 08:21
  • My iPhone 6S requires 1,300,000 rounds to achieve 100ms. Is Android really 1,300 times slower? But a faster algorithm will be faster on a GPU. It isn't that SCrypt is slower, it is that SCrypt requires substantially more memory which plays against GPUs. – zaph Mar 14 '17 at 15:41
  • I tested different devices and this was the result. Only high-end devices like Nexus5x are a little bit faster, but for 100msec I never passed the 10k rounds with PBKDF2-HMAC-SHA1. I assume this is because the old Apache Harmony code in Android is pretty old and not well optimized. – Robert Mar 15 '17 at 19:12

0 Answers0