What is the difference between PBE (password based encryption) and symmetric-key algorithms?
My understanding is that symmetric-key algorithms like AES and Twofish are used in PBE. Hence PBE is just a technique which employs symmetric-key algorithms to do the work. So there is no point in comparing the two. Is that correct, or am I missing something?
As typically implemented, PBE takes a low-entropy, user-supplied password, adds some entropy to it, and thus strengthens it before turning it into a key. This key can then be used for symmetric encryption.
The problem is that the user's password often has so little entropy to start with. If an attacker learns the salt, digest method and quantity of iterations, he needs to keep trying to guess the pre-strengthened password, apply matching PBE-strengthening to his guess, and then use the resulting key to match up with ciphertext that was created with that key.
If the programmer used a decent digest method (such as PBKDF2 with HMAC SHA 256), a salt generated by a cryptographically secure pseudo-random number generator (CSPRNG) and a decent quantity of iterations (200,000 or more) then he can make it pretty expensive for attackers to guess the key.
However if the user's password is ridiculously easy to guess (such as "password") then even a good digest method and lots of iterations won't make much difference. You still need to force the user to choose sufficiently complex passwords, to maximize the entropy prior to any strengthening occurring.
OWASP has some best practices on enforcing password complexity.
Password Based Encryption (PBE) is specified in e.g. RFC 2898 which specifies the "PKCS #5: Password-Based Cryptography Specification Version 2.0".
Keys used for symmetric ciphers such as AES and Twofish should be fully randomized. Passwords, even strong ones, do not consist of randomized bits. So they need to be converted to keys before symmetric encryption can take place.
Furthermore, the passwords do often not contain enough entropy to be used as key, even after - for instance - hashing them with a cryptographically secure hash such as one of the SHA hashes.
Finally, it would be easy to pre-calculate keys that were just hashed with a cryptographically secure hash (rainbow tables). It could also be possible to find which ciphertext was created with identical passwords, although this depends on the protocol.
For this reason a Password Based Key Derivation Function or PBKDF is deployed. PBKDF2 is used in the latest specs. bcrypt and scrypt may also used in other protocols. Sometimes this function is also known as a password hash. Such a PBKDF function also requires a salt (per encryption, stored with the ciphertext) and a work factor or iteration count.
The salt is used to make sure that identical passwords do not calculate to the same key. Furthermore, the salt makes it impossible to use rainbow tables and much harder to perform dictionary attacks.
In principle the same mechanisms can be used afterwards as symmetric encryption with a key. It is however also possible that the symmetric key is used to decrypt a private key such as a PGP key. This key can then be used to decrypt ciphertext that was encrypted using the public key of the key pair.
