Let us breakdown the word piece by piece:
PBKDF2--WithHmac--SHA512
Let’s go over it part by part
-
PBKDF2
Stands for Password-based-Key-Derivative-Function, a successor of PBKDF1 and is used to implement a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations.
-
HMAC
Stands for Keyed-Hash Message Authentication Code (HMAC) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. Any cryptographic hash function,may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly.
-
SHA512
Well, you know about it.. 😛
Now, coming back to your question, the line of code:
SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
specifies the keyFactory to use the algorithm PDBKDF2WithHmacSHA1. When you would do something like:
SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
you tell the factory to use algorithm PBDKF2WithHmacSHA512.
Essentialy the main difference between PBKDF2WithHmacSHA1 and PBKDF2WithHmacSHA512 is that:
- The
PBKDF2WithHmacSHA1will produce a hash length of 160 bits. - The
PBKDF2WithHmacSHA512will produce a hash length of 512 bits.
Hence the latter is more secure. But there are arguments on both sides as to which is sufficient for encryption. No debate. Just saying.
Some additional information about the two algorithms:
-
HMACSHA1
HMACSHA1 is a type of keyed hash algorithm that is constructed from the SHA1 hash function and used as an HMAC, or hash-based message
authentication code. The HMAC process mixes a secret key with the
message data, hashes the result with the hash function, mixes that
hash value with the secret key again, and then applies the hash
function a second time. The output hash is 160 bits in length. -
HMACSHA512
HMACSHA512 is a type of keyed hash algorithm that is constructed from
the SHA-512 hash function and used as a Hash-based Message
Authentication Code (HMAC). The HMAC process mixes a secret key with
the message data and hashes the result. The hash value is mixed with
the secret key again, and then hashed a second time. The output hash
is 512 bits in length.
The main advantage is that HmacWith512 is more secure than HmacWith256. For e.g.
HMAC_SHA1("key","The quick brown fox jumps over the lazy dog") = 0xde7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9
HMAC_SHA512("key","The quick brown fox jumps over the lazy dog") = 0xb42af09057bac1e2d41708e48a902e09b5ff7f12ab428a4fe86653c73dd248fb82f948a549f7b791a5b41915ee4d1ec3935357e4e2317250d0372afa2ebeeb3a
The difference is pretty huge (as seen). Hope it helps. 🙂
EDIT: As OP mentions
PBEKeySpec(char[] password, byte[] salt, int iterationCount, int keyLength)
The parameter keyLength is used to indicate the preference on key length
for variable-key-size ciphers. The actual key size depends on each provider’s implementation. Hence say, doing something like
PBEKeySpec(password, salt, int 100, 512) doesn’t mean you will be using SHA1 to generate a keyLength of 512. It simply means that. SHA1 supports upto a maximum of 160 bits. You cannot exceed that.
As for your second question, have a look at the HMAC-SHA1. There are many statements that say algorithms like SHA256 is pretty good if you a long hash.
Also, as per the NSA :
The NSA specifies that “Elliptic Curve Public Key Cryptography using
the 256-bit prime modulus elliptic curve as specified in FIPS-186-2
and SHA-256 are appropriate for protecting classified information up
to the SECRET level. Use of the 384-bit prime modulus elliptic curve
and SHA-384 are necessary for the protection of TOP SECRET
information.
I think using a HMAC function in conjunction SHA512 is quite secure.