Android: How safe is PBKDF2 with a 4 digit pin?

Our Product Manager wants a 4 digit pin for login in our app, obviously for UX reasons, so user don’t have to remember their password each time when they login.

A refresh token can be retrieved from backend to obtain a session token, which have access to the API. On our app, we encrypt the refresh token with AES and PBKDF2. A random salt and IV are generated plus the 4 digit used as password for PBKDF2.

After the encryption, I store the salt, IV and the cipher text base64 encoded in private shared preference.

The encryption code looks like this:

const val CPR_TRANSFORMATION = "AES/CBC/PKCS7Padding" const val ALGORITHM_TYPE = "PBKDF2WithHmacSHA1" const val ITERATION_AMOUNT = 12000 const val KEY_SIZE = 256  private fun encrypt(passCode: String, data: ByteArray): Encrypted { //e.g.: passCode = "0000"     val salt = ByteArray(256)     SecureRandom().nextBytes(salt)      val iv = ByteArray(16)     SecureRandom().nextBytes(iv)      val cipher = Cipher.getInstance(CPR_TRANSFORMATION)     cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(passCode, salt), IvParameterSpec(iv))     val raw = cipher.doFinal(data)     return Encrypted(salt.encodeBase64(), iv.encodeBase64(), raw.encodeBase64()) }  private fun getSecretKey(passCode: String, salt: ByteArray): Key {     val pbKeySpec = PBEKeySpec(passCode.toCharArray(), salt, ITERATION_AMOUNT, KEY_SIZE)     val keyBytes = SecretKeyFactory.getInstance(ALGORITHM_TYPE).generateSecret(pbKeySpec).encoded     return SecretKeySpec(keyBytes, KeyProperties.KEY_ALGORITHM_AES) } 

Now my question is: How secure is this implementation?

  • How could an attacker retrieve the refresh token from shared preference and decrypt it?
  • Is the symmetric key inside secure element?
  • How safe is this implementation against malware or root?
  • How easy can the key be brute forced? (except that user tries 10k times manually to insert the correct pin)

Can I use PBKDF2 derivation function to generate a MAC in PKCS12 file?

It seems that the default password based key derivation function that is used by PKCS12 to generate a MAC is this one. It is unique to the standard and probably not used anywhere else. Is it possible to use PBKDF2 instead to generate a MAC? Surely I can use PBES2 scheme with PBKDF2 to protect key bags, but how do I encode this information for the whole file’s MAC? Is it possible in principle? So far my attempts to use it resulted in files that are not recognized both by OpenSSL and Windows tools.

OpenSSL 1.1.1b warning:*** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better

We have a homework assignment to encrypt the famous Tux.ppm using aes with ecb and cbc mode. We have to show and outline how insecure the ecb mode is…

So is there any way to ignore this warning?

*** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. 

Deriving a key with PBKDF2 from RFC1751 output

I am building a system that at some point requires a 256 bit key AES key. I used to feed passphrases through PBKDF2 to derive a key, but then I decided to generate random passwords of 12 words selected out of a set of 2048 words which offers me 132 bits of entropy.

Is it safe to pass through PBKDF2 the set of random words encoded or should I pass the equivalent decoded bits?

In other words, if I have the random bits CCAC 2AED 5910 56BE 4F90 FD44 1C53 4766, can I use RASH BUSH MILK LOOK BAD BRIM AVID GAFF BAIT ROT POD LOVE to derive the key?

Safe to switch from PBKDF2 to SHA-1 for token verification?

Whenever I need to generate a token (email account confirmation, password reset, remember me cookie, view email in browser etc) I generate a string of random bytes (typically 32 using the Fortuna PRNG) and use PBKDF2 to create a hash which is stored in a database. I then use base64 (a URL safe version) to encode the random bytes before issuing the token to the user prefixed with a 7 character alpha-numeric ID which is used to retrieve the PBKDF2 hash when the token is returned. The base64 string is decoded and verified against the PBKDF2 hash in the database. If the verification returns true then access is granted.

However, given that I’m working with random bytes and not user generated input, would it not make more sense to just use sha1 for storing the bytes in the database and verifying against the token? Each time I need to both generate and verify a token I’m doing 10,000 sha256 iterations on an input I already know has excellent entropy. The more I think about it, the less efficient this seems.