What security landmines should I look out for with JCA and AES?

Answer 1

You will need to familiarise yourself with the principles of designing a secure system, which goes beyond picking a particular encryption algorithm.

In principle AES is designed to be secure encrypting packets in their smallest size (16 bytes). But you need to pay attention to its usage in the overall security scheme. Pay attention to your overall protocol design.

For example I've heard of some online game in the past (can't locate a reference sorry), which encrypted all its data. The problem was, it didn't include any "seed". So the command to do something in particular, such as give the player an extra life, was the same sequence of (encrypted) bytes every time. So a player could just duplicate that packet, and resend it to the server many times, without ever having to know what unencrypted data was contained in the packet.

Answer 2

You might start with this list of the Top 25 Most Dangerous Software Errors, which refers specifically to security errors.

Answer 3

While short messages will require padding, the question says nothing about the padding to be used. The choice of padding could affect the security of some ciphers.

Also, no cipher mode is specified in the question. For short, random "messages", such as randomly selected user identifiers, ECB mode is secure, and has the advantage that no initialization vector is needed for the cipher. For messages greater than 16 bytes, however, using ECB mode can reveal patterns in the plaintext, and is vulnerable to replay attacks.

Using other modes (CBC is common) will require a different initialization vector for each message. Obviously, decryption will require the IV, and that usually leads to it being passed around along with the ciphertext.