What I'm asking from you guys. Is it possible to avoid these kind of brute force attacts? I know it is possible with other kind of applications, that can use salt and user identification. But I don't think it is possible for me, because it must be possible to open encrypted file in other computer using only password. Only thing that makes encrypted file secure is password, that is strong enough.
Originally posted by Ulf Dittmer:
Originally posted by Pat Farrell:
You really should not consider TrippleDES. DES is obsolete. AES is much faster than TrippleDES and is considered as strong. Plus, DES is cursed with the known weak keys.
Just use AES and forget DES.
Originally posted by Henry Wong:
DES has *not* been broken
The main weakness is purely the size of the key. Tripling the size of the key (or doubling depending on the 3DES setup) drastically improves the protection. If it takes a day to break DES, with it's 56 bit key -- it will take 2 to the power of 56 days longer (if you use the version of 3DES that only double the keys).
But it has to be a strong key, using a password in ASCII doesn't cut it. You have to take the user's input and make it strong, usually by running it through a hash such as SHA1.
Originally posted by Uuno Turhapuro:
If I use SHA1 to make a "hash", why can't possible attacker do the same? Attacker can read source code, he knows what I'm using. How does this help me?
Currently what I'm doing is, that I take password as seed, run it through method that makes it 32 characters long "random" string and do encrypting after that with Java's crypto package. I think encrypting is now 32*8=256 bytes.