JEP 510: Key Derivation Function API
JEP 510 introduces a standard API for key derivation functions such as PBKDF2. These functions transform weak secrets like passwords into strong cryptographic keys by applying hashing thousands of times.
shorter : KDF turns a human password into a machine-grade cryptographic key.
RUN :
com.wlodar.jeeps.jep510.DemoKdfApiReal-life example: password handling in a shop system
Assume a user registers in an online shop:
email: user@example.com password: User123!
What should NOT happen:
password = "User123!"
If the database is leaked, all user passwords would be exposed.
What actually happens (with KDF):
System generates a salt: salt = random bytes (e.g. 16 bytes)
System derives a key from the password: derivedKey = KDF("User123!", salt, iterations = 10000)
System stores: email: user@example.com salt: A1B2C3... hash: 9F8E7D...
The original password is NOT stored.
Login process:
User enters: User123!
System computes: derivedKey = KDF("User123!", storedSalt)
Then compares: derivedKey == storedHash
If equal → login successful If not → login failed
Why KDF is important:
Without KDF: hash(password) → very fast
With KDF: KDF(password, iterations) → intentionally slow
This makes brute-force attacks much harder.
After a database leak, attacker sees:
email: user@example.com salt: A1B2C3... hash: 9F8E7D...
To recover password: guess → run KDF → compare → repeat
Important detail:
Even if two users use the same password: User123!
they will have different hashes: different salt → different derivedKey
Summary:
Passwords are not stored directly
KDF transforms password into a secure value
The result is slow to compute
This protects against brute-force attacks
Real-life example: encrypting data with a password
Sometimes we want to encrypt data using a password instead of storing the password itself.
Example: A user wants to encrypt a file or backup using a password: password: User123!
Problem: Passwords are weak and not suitable as encryption keys.
Solution: Use a Key Derivation Function (KDF) to generate a strong key.
Steps:
User provides password: User123!
System generates a salt: salt = random bytes
System derives a strong key: key = KDF("User123!", salt, iterations)
Use the derived key for encryption: encryptedData = encrypt(data, key)
Later, to decrypt:
User provides password again: User123!
System derives the same key: key = KDF("User123!", sameSalt, sameIterations)
Use the key to decrypt: data = decrypt(encryptedData, key)
Important:
The password is never used directly as a key
The derived key is suitable for cryptographic algorithms (e.g. AES)
Without the correct password, the key cannot be reconstructed
Typical use cases:
encrypted ZIP files
disk encryption
password-protected backups
password managers
Last updated