ansaurus

Question

Android encryption

Answer 1

+1 A:

The java AES library has a flaw in it that allows, under the right circumstances, a listener to decrypt the packets sent. See Padding Oracle Exploit Tool vs Apache MyFaces.

That being said check out this SO question Java 256bit AES Encryption.

Bouncy Castle AES EXAMPLE Stolen from: http://www.java2s.com/Code/Java/Security/EncryptionanddecryptionwithAESECBPKCS7Padding.htm

import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class MainClass {
  public static void main(String[] args) throws Exception {
    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());    
    byte[] input = "www.java2s.com".getBytes();
    byte[] keyBytes = new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
        0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17 };

    SecretKeySpec key = new SecretKeySpec(keyBytes, "AES");

    Cipher cipher = Cipher.getInstance("AES/ECB/PKCS7Padding", "BC");

    System.out.println(new String(input));

    // encryption pass
    cipher.init(Cipher.ENCRYPT_MODE, key);

    byte[] cipherText = new byte[cipher.getOutputSize(input.length)];
    int ctLength = cipher.update(input, 0, input.length, cipherText, 0);
    ctLength += cipher.doFinal(cipherText, ctLength);
    System.out.println(new String(cipherText));
    System.out.println(ctLength);

    // decryption pass
    cipher.init(Cipher.DECRYPT_MODE, key);
    byte[] plainText = new byte[cipher.getOutputSize(ctLength)];
    int ptLength = cipher.update(cipherText, 0, ctLength, plainText, 0);
    ptLength += cipher.doFinal(plainText, ptLength);
    System.out.println(new String(plainText));
    System.out.println(ptLength);
  }
}

e5 2010-06-30 15:59:34

Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider())What does this do?

Steven1350 2010-06-30 17:49:22

Security.addProvider lets java know that you are planning on using a particular security provider (it basically installs that security provider into the security manager, similar to loading a library).

e5 2010-06-30 19:54:33

Answer 2

A:

The algorithm depends a lot on the usage scenario. What is it you're protecting, from whom, where, why and how do you plan to do it?

AES (symmetric cipher) and RSA (asymmetric) function very differently.

martin 2010-06-30 18:21:12

I am simply storing a username and password locally on the device. I have have an RSA implementation and used that for my purposes.

Steven1350 2010-06-30 19:25:51

@Steven - I'm not sure RSA is the best system for that.

e5 2010-07-01 03:56:24

I suspect you want to store the username and password of a remote service and use it to access some service "transparently" ?This would make sense to be protected with symmetric encryption (AES) but how will you secure the AES key? With a password derived key? With some system key (maybe Android provides something internal for such purposes)Before rolling your own, make sure that Android does not provide a "keychain" or "password store" style service, that would take care of it for you.

martin 2010-07-01 11:38:45

ansaurus

tags:

views:

answers:

Android encryption

related questions