encryption – How to encrypt String in Java – Stack Overflow

This is the first page that shows up via google, and the security vulnerabilities in all the implementations make me cringe so I'm posting this to add information regarding encryption for others as it has been 7 Years from the orignal post. I hold a Masters Degree in Computer Engineering and spent a lot of time studying and learning Cryptography so I'm throwing my 2 cents in to make the internet a safer place.

Also, do note that a lot of implementation might be secure for a given situation, but why use those and potentially accidentally make a mistake? Use the strongest tools you have available unless you have a specific reason not to. Overall I highly advise using a library and staying away from the nitty gritty details if you can. I recommend Jasypt.

I will outline the basics of secure symmetric cryptography below and point out common mistakes I see online.

First thing first you need to pick a symmetric key Block Cipher. A Block Cipher is a tool used to create Pseudo-Randomness. Make sure to NEVER, I repeat NEVER use DES, I would even say NEVER use 3DES. The only Block Cipher that even Snowden's NSA release was able to verify being truly as close to Pseudo-Random as possible is AES 256.

Now let's talk about encryption modes. Never Use ECB this is bad at hiding repeating data as shown by the famous Linux penguin.

When implementing in Java note that if you use the following code, ECB mode is set by default:

... AVOID THIS! Which is seen in a a lot of examples online

If you have no Idea what you are doing I would strictly stick to GCM, and as said before if you really have no idea just use Jasypt. The only other modes that I would even mention are decent as well are CBC and CTR mode, but unlike GCM an attacker could modify the encrypted message in these modes and that is why they are not entirely secure.

So in the typical java implementation this is the setup you want:

GCM is built upon CTR mode and doesn't require padding. but if for whatever reason you choose to use for example CBC Mode do so with PKCS7Padding as follows:

Another very important note, is that when it comes to cryptography a Key and a Password are not the same things. A Key in cryptography needs to have a certain amount of entropy and randomness to be considered secure. This is why you need to make sure to use the Cryptography libraries Key generating algorithm to pick a key.

Along with a Key we also have a thing called an IV. While a key is a secret and you should only share it with people you want to be able to decrypt the message, the IV is public. It's used to make sure that if you encrypt two messages that are the same, the encryption looks different. Now what most people are not aware of is that IV's can not repeat for the same key. The moment you repeat an IV in modes like GCM, CBC, CTR you actually compromise the entire security of the system. This is why you need to make sure first your IV is not static and that you are using the proper Cryptography library to generate a random IV with a really low probability of accidentally creating two of the same.

I have by now hopefully gone through all other posts and edited them to take out vulnerabilities. But to make your life easy with Jasypt here is how you use it!





For more security use the StrongTextEncryptor util class provided below but it is slower. (you may need to download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files to use it):




Isn't this just so much cleaner? 🙂

Note that when using Jasypt you don't have to worry about the key being truly random as discussed above just use a strong password, their library converts your strong password into a proper crypto key. But remember a weak password is still a weak password

Android Developers

One important point to point out here is know that your android code is reverse engineer able. That means if you store the password in plain text in your code. A hacker can easily retrieve it. Usually for these type of encryption you want to use Asymmetric Cryptography and so on. This is outside the scope of this post so I will avoid diving into it.

An interesting reading from 2013: Points out that 88% of Crypto implementations in android were done improperly and this is really the basis of me coming here and ranting so much.

Original post:
encryption - How to encrypt String in Java - Stack Overflow

Related Post

Comments are closed.