In chapter 2, the section Basic PBE
, the discussion under The Password
is a bit misleading.
quote:Most, like PKCS #5, only consider characters in the ASCII range...
What is misleading about this is that PKCS #5 says nothing whatsoever about characters
. What the PKCS #5 says is:
quote:...a password is considered to be an octet string of arbitrary
length whose interpretation as a text string is unspecified.
I think you have just copied the specific interpretation that the Java PBEKeySpec class puts on the password:
quote:Different PBE mechanisms may consume different bits of each password character. For example, the PBE mechanism defined in PKCS #5 looks at only the low order 8 bits of each character, whereas PKCS #12 looks at all 16 bits of each character.
Note that this statement that "PKCS #5 looks at only the low order bits of each character" is also incorrect - PKCS #5 explicitly states that it doesn't deal with string passwords at all, it deals with passwords as an octet string. The JCE interpretation that picks out the low order bytes to produce that octet string is simply one possible approach.
Also note that "low order bytes" is not the same thing as ASCII. ASCII uses characters in the range 0 to 127, but if we use the low order bytes from the characters in the password string, we actually get characters in the range -128 to 127.
It is possible to work around the issue of high-order bytes in the password string being ignored (e.g., encode as UTF-8 and use that to create the input string). The real problem is interoperability. You can come up with a scheme to map an arbitrary string into an input for the key derivation function, but the algorithm identifier (or OID) doesn't describe this.
It might be useful to state explicitly in the book (perhaps in Appendix B) which algorithms in JCE use the "use the low order bytes of characters" password string transformation (so they can be avoided). By my reckoning, they are:
Also note the the list of PBE algorithms in Appendix B has a couple of errors in it. The following are listed, but they should have the hyphen removed: