views:

1214

answers:

2

Using the Rijndael algorithm is it possible to encrypt a config file (or section(s) in a config file) and then decrypt that file in Java? Assumptions can be made such as:

  1. Pass in IV (not Autogenerated idea :: GenerateIV(); )
  2. Pass in Key
  3. BlockSize is 128 (standard)

Assuming this can be done, my next question on this would be:

  1. Can the keySize be 256? I know 128 is AES but we would like to use 256. I also don't know if Java has that provider for 256 or if I need to use BouncyCastle
  2. What is the Padding? PKCS7?
  3. I assume the CiperMode would be CBC

Something like this in c#? But, no clue if it can be decrypted in Java...perhaps even my c# is wrong?

public static void initCrypt()
    {
        byte[] keyBytes = System.Text.UTF8Encoding.UTF8.GetBytes("abcdefghijklmnop");

        rijndaelCipher = new RijndaelManaged();
        PasswordDeriveBytes pdb = new PasswordDeriveBytes(keyBytes, new SHA1CryptoServiceProvider().ComputeHash(keyBytes));
        byte[] key = pdb.GetBytes(32);
        byte[] iv = pdb.GetBytes(16);
        rijndaelCipher.Mode = CipherMode.CBC;
        rijndaelCipher.Padding = PaddingMode.PKCS7; //PaddingMode.PKCS7 or None or Zeros
        rijndaelCipher.KeySize = 256; //192, 256
        rijndaelCipher.BlockSize = 128;
        rijndaelCipher.Key = keyBytes;
        rijndaelCipher.IV = iv;
    }
+1  A: 

Depending on your usage of this config file, you may want to use an external program.

For example, if you want to protect the config file while it resides on disk, but you're okay with its contents being held in memory while the program is running, you could use gpg to encrypt the file, decrypt it into memory using a user-supplied password required by the program when you start it, and then clear out the memory when you shut down the program.[1]

[1] It's worthwhile to note that there's no real way to guarantee the contents won't be written to disk because of memory paging and the like. That's dependent on operating system and a lot of factors you can look up if you are interested in it.

Tom Ritter
+1  A: 

I'd check if an external library such as keyczar supports this.

As Jeff Atwood has taught us in his blog recently, 99% of developers shouldn't be concerning themselves with the low level details of encryption routines (because we will probably screw them up).

matt b
Absolutely - why I recommend an external program.
Tom Ritter
He mentions using bouncycastle as an example which abstracts this out. I do want to do that, so I am not doing much different...I just want to make sure the providers work cross-platform.
Well, encryption algorithms are just algorithms, right? So nothing about it should be platform dependent. Any series of steps that you can take in one language to encrypt a file, you should be able to write code in any other language to then decrypt it. If not, something is wrong with your algorithm.
matt b