tags:

views:

584

answers:

2
+1  Q: 

Duplicate Oracle DES encrypting in Java

I recently asked a question about Oracle Encryption. Along the way to finding a solution for myself I decided to move the encryption (well, obfuscation) to the application side for certain tasks.

My problem is that the database is already encrypting data a certain way and I need Java code to duplicate that functionality, so that text encrypted by one system can be decrypted by the other and vice versa.

I want the encryption to be compatible with what the DB was already doing but couldn't find the documentation that describes exactly what Oracle is doing. How do I replicate this in Java?

dbms_obfuscation_toolkit.DESEncrypt(
  input_string => v_string,
  key_string => key_string,
  encrypted_string => encrypted_string );
RETURN UTL_RAW.CAST_TO_RAW(encrypted_string);

No matter what I try, it seems as if the Java DES encryption is different than Oracle's.

+2  A: 

I found this works:

KeySpec ks = new DESKeySpec(new byte[] {'s','e','c','r','e','t','!','!'});
SecretKeyFactory skf = SecretKeyFactory.getInstance("DES");
SecretKey sk = skf.generateSecret(ks);
Cipher c = Cipher.getInstance("DES/CBC/NoPadding");
IvParameterSpec ips = new IvParameterSpec(new byte[] {0,0,0,0,0,0,0,0});
c.init(Cipher.ENCRYPT, sk, ips);
// or
c.init(Cipher.DECRYPT, sk, ips);

The missing piece was the Initialization Vector (ips) which must be 8 zeros. When you use null in Java you get something different.

Mr. Shiny and New  2008-09-22 15:30:56
1. Fixed IV means that the first block's (8 bytes) ciphertext is always the same for the same plaintext block -- dictionary attack possible on the first block.2. CBC mode means that an attacker can easily perform bitflips in the decoded plaintext (but runing the plaintext block preceding it).
Alexander  2008-09-22 20:20:06
As I said in the question, this is used more for obfuscation than true encryption. Anyway the fixed IV is unavoidable as that's what Oracle does.
Mr. Shiny and New  2008-09-23 19:31:46
A: 

Using Java in the database would have been another approach that would (should!) have guarenteed that the code (and hence results) would be identical.

cagcowboy  2008-09-22 17:27:31
True, but unfortunately in this scenario I was stuck with the existing encryption algorithm as described in the question. I needed to do exactly what that was doing in Java. In practice I think the more modern Oracle encryption can fully inter-operate with foreign encryption libraries such as Java's.
Mr. Shiny and New  2010-09-24 13:02:29

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java