Luke O’Connor has a good description of the use of passwords with encryption on his blog. He talks about the recent problems with Adobe document protection and how security actually got weaker with the most recent release. You can find his comments here:
http://lukenotricks.blogspot.com/2008/12/spin-on-passwords-and-aes.html
He explains why passwords make poor encryption keys, talks about Password Based Encryption (PBE), and describes a bit about the PKCS#5 standard for PBE. It’s a very well written piece.
It is amazing to me that there are still security problems surfacing around the use of encryption, and related key management technologies. I do think that PBE is a reasonably good technology for protecting keys, and you should never accept a security solution that relies on a raw password as an encryption key. That being said, Enterprise users should use proper key management systems.
Patrick
Tags: encryption, key management, pass phrase, password