Reliable implementation of PBKDF2-HMAC-SHA256 for JAVA
Using spongycastle (java on android)
Replace spongycastle with bouncycastle if you are using bouncycastle on java directly
import org.spongycastle.crypto.generators.PKCS5S2ParametersGenerator;
import org.spongycastle.crypto.digests.SHA256Digest;
import org.spongycastle.crypto.params.KeyParameter;
public class Crypto {
public String pbkdf2(String secret, String salt, int iterations, int keyLength) {
PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(new SHA256Digest());
byte[] secretData = secret.getBytes();
byte[] saltData = salt.getBytes();
gen.init(secretData, saltData, iterations);
byte[] derivedKey = ((KeyParameter)gen.generateDerivedParameters(keyLength * 8)).getKey();
return toHex(derivedKey);
}
private static String toHex(byte[] bytes) {
BigInteger bi = new BigInteger(1, bytes);
return String.format("%0" + (bytes.length << 1) + "x", bi);
}
}
Using BouncyCastle classes directly:
PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(new SHA256Digest());
gen.init("password".getBytes("UTF-8"), "salt".getBytes(), 4096);
byte[] dk = ((KeyParameter) gen.generateDerivedParameters(256)).getKey();
It is available in Java 8:
public static byte[] getEncryptedPassword(
String password,
byte[] salt,
int iterations,
int derivedKeyLength
) throws NoSuchAlgorithmException, InvalidKeySpecException {
KeySpec spec = new PBEKeySpec(
password.toCharArray(),
salt,
iterations,
derivedKeyLength * 8
);
SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
return f.generateSecret(spec).getEncoded();
}