patternjavaMinor
Encrypting a string using AES/CBC/PKCS5PADDING
Viewed 0 times
pkcs5paddingaescbcencryptingusingstring
Problem
The code below takes a
I'm hopping to incorporate this into a larger project or build on this. Any suggestions for making the code easier to work with multiple classes?
```
import java.io.UnsupportedEncodingException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
public class AESCrypt {
private SecureRandom r = new SecureRandom();
private Cipher c;
private IvParameterSpec IV;
private SecretKey s_KEY;
// Constructor
public AESCrypt() throws NoSuchAlgorithmException, NoSuchPaddingException {
this.c = Cipher.getInstance("AES/CBC/PKCS5PADDING");
this.IV = generateIV();
this.s_KEY = generateKEY();
}
// COnvert the String to bytes..Should I be using UTF-8? I dont think it
// messes with the encryption and this way any pc can read it ?
// Initialize the cipher
// Encrypt the String of bytes
// Return encrypted bytes
protected byte[] encrypt(String strToEncrypt) throws InvalidKeyException,
InvalidAlgorithmParameterException, IllegalBlockSizeException,
BadPaddingException, UnsupportedEncodingException {
byte[] byteToEncrypt = strToEncrypt.getBytes("UTF-8");
this.c.init(Cipher.ENCRYPT_MODE, this.s_KEY
String and encrypts it using AES/CBC/PKCS5PADDING as transformation. I am learning as I go and I have a few questions about my code.- Is
SecureRandomok for generating my KEY and my IV?
- What's up with all these exceptions?
- Is my code creating any vulnerabilities in the encryption process? (mistakes maybe?)
- Am I seeding
SecureRandomproperly?
I'm hopping to incorporate this into a larger project or build on this. Any suggestions for making the code easier to work with multiple classes?
```
import java.io.UnsupportedEncodingException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
public class AESCrypt {
private SecureRandom r = new SecureRandom();
private Cipher c;
private IvParameterSpec IV;
private SecretKey s_KEY;
// Constructor
public AESCrypt() throws NoSuchAlgorithmException, NoSuchPaddingException {
this.c = Cipher.getInstance("AES/CBC/PKCS5PADDING");
this.IV = generateIV();
this.s_KEY = generateKEY();
}
// COnvert the String to bytes..Should I be using UTF-8? I dont think it
// messes with the encryption and this way any pc can read it ?
// Initialize the cipher
// Encrypt the String of bytes
// Return encrypted bytes
protected byte[] encrypt(String strToEncrypt) throws InvalidKeyException,
InvalidAlgorithmParameterException, IllegalBlockSizeException,
BadPaddingException, UnsupportedEncodingException {
byte[] byteToEncrypt = strToEncrypt.getBytes("UTF-8");
this.c.init(Cipher.ENCRYPT_MODE, this.s_KEY
Solution
-
Is
I would generally advise that you don't specify your own
Also, if your code is used with a hardware security module (HSM) in the future, it will either completely ignore your request or it will even throw an exception to tell you that you mustn't try to specify an alternative source of randomness.
Using it to generate an IV value is fine.
-
What's up with all these exceptions?
Yeah, irritating isn't it? The security APIs are peppered with checked exceptions. Fortunately, many of them extend
As in all code, throw exceptions that are appropriate to the abstraction of your API layer.
-
Is my code creating any vulnerabilities in the encryption process? (mistakes maybe?)
No, it generally looks fine. You should specify "UTF-8" when converting your plaintext bytes to a string, but that's about it.
Obviously you'll need to store your IV along with your ciphertext when you eventually use this in anger.
-
Am I seeding
There's not really any need to seed a
You are currently using
Is
SecureRandom ok for generating my KEY and my IV? I would generally advise that you don't specify your own
SecureRandom for the key generator, unless you have a specific reason to do so. By default, it will select the highest priority implementation it finds amongst the installed providers. Also, if your code is used with a hardware security module (HSM) in the future, it will either completely ignore your request or it will even throw an exception to tell you that you mustn't try to specify an alternative source of randomness.
Using it to generate an IV value is fine.
-
What's up with all these exceptions?
Yeah, irritating isn't it? The security APIs are peppered with checked exceptions. Fortunately, many of them extend
GeneralSecurityException, so you can just throw that if you have no intention of acting upon the individual exceptions.As in all code, throw exceptions that are appropriate to the abstraction of your API layer.
-
Is my code creating any vulnerabilities in the encryption process? (mistakes maybe?)
No, it generally looks fine. You should specify "UTF-8" when converting your plaintext bytes to a string, but that's about it.
Obviously you'll need to store your IV along with your ciphertext when you eventually use this in anger.
-
Am I seeding
SecureRandom properly?There's not really any need to seed a
SecureRandom object. Many implementations of SecureRandom ignore the seeds they are supplied. Just create it using:SecureRandom random = new SecureRandom();You are currently using
SecureRandom::generateSeed() which is actually intended for seeding other PRNGs. There's no need to use it to re-seed your existing SecureRandom instance. Just use the basic no-arg constructor as I suggest above.Code Snippets
SecureRandom random = new SecureRandom();Context
StackExchange Code Review Q#85396, answer score: 5
Revisions (0)
No revisions yet.