In this tutorial we will implement a full data encryption decryption cycle with Java (only data, not file encryption); encrypt some data using a secret key, salt and iterations and decrypt using the same parameters. We are using the Java Cryptography Extension (JCE) for data encryption/decryption operations. This extension is available in Java 1.4.2 and above; you will have to manually download it for older versions (here). Java supports a number of of encryption algorithms, however we will demonstrate only AES algorithm (the Advanced Encryption Standard) usage.Why should we encrypt data?
Encryption and Decryption are highly important security steps; now there are file and data encryption software as well. Data encryption is the mechanism of converting a message (plain text) into some other text (called ciphertext) so that readers can not understand the original message; however some authorized party can understand that ciphertext using the method called Decryption which converts the ciphertext into original message. As many software applications store sensitive personal data in databases, encryption has become a must. Ideally nobody (including the software developers) should not be able to view these user specific real data.Simple Data Encryption/Decryption Example with AES
For encryption we must use a secret key along with an algorithm. In the following example we use an algorithm called AES 128 and the bytes of the word "ThisIsASecretKey" as the secret key (the best secret key we found in this world). AES algorithm can use a key of 128 bits (16 bytes * 8); so we selected that key.
package org.kamal.crypto;
import java.security.*;
import java.security.spec.InvalidKeySpecException;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import sun.misc.*;
public class SimpleProtector {
private static final String ALGORITHM = "AES";
private static final byte[] keyValue =
new byte[] { 'T', 'h', 'i', 's', 'I', 's', 'A', 'S', 'e', 'c', 'r', 'e', 't', 'K', 'e', 'y' };
public static String encrypt(String valueToEnc) throws Exception {
Key key = generateKey();
Cipher c = Cipher.getInstance(ALGORITHM);
c.init(Cipher.ENCRYPT_MODE, key);
byte[] encValue = c.doFinal(valueToEnc.getBytes());
String encryptedValue = new BASE64Encoder().encode(encValue);
return encryptedValue;
}
public static String decrypt(String encryptedValue) throws Exception {
Key key = generateKey();
Cipher c = Cipher.getInstance(ALGORITHM);
c.init(Cipher.DECRYPT_MODE, key);
byte[] decordedValue = new BASE64Decoder().decodeBuffer(encryptedValue);
byte[] decValue = c.doFinal(decordedValue);
String decryptedValue = new String(decValue);
return decryptedValue;
}
private static Key generateKey() throws Exception {
Key key = new SecretKeySpec(keyValue, ALGORITHM);
// SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(ALGORITHM);
// key = keyFactory.generateSecret(new DESKeySpec(keyValue));
return key;
}
}We use "generateKey()" method to generate a secret key for AES algorithm with a given key. You can change the used algorithm by changing this Key generation; the commented out code shows the use of DES algorithm (Data Encryption Standard). Following is a simple class to test the above implementation.
package org.kamal.crypto;
public class TestSimpleProtector {
public static void main(String[] args) throws Exception {
String password = "mypassword";
String passwordEnc = SimpleProtector.encrypt(password);
String passwordDec = SimpleProtector.decrypt(passwordEnc);
System.out.println("Plain Text : " + password);
System.out.println("Encrypted : " + passwordEnc);
System.out.println("Decrypted : " + passwordDec);
}
}
Plain Text : mypassword
Encrypted : sBhCap4urE50a/dGuhNgrw==
Decrypted : mypasswordThe Risk with Simple Protector
When you use the above mentioned method to encrypt all passwords in your database, it makes an attacker's task easier. Since the same key is used, if an attacker find a way to get the plain text, the he can use that same method to get all the other plain-texts in the database in minutes.Use Salt and iterations to improve
To make the attackers job harder we can use two methods; called adding Salt and using Iterations.A Salt is another plain-text appended to the given plain text, before generating the encrypted value. We use a unique Salt per each plain-text so that the value used to encrypt is getting much stronger making it harder for an attacker to guess with a brute force or dictionary attack. Following class shows the improved version of SimpleProtector class.
package org.kamal.crypto;
import java.security.*;
import java.security.spec.InvalidKeySpecException;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import sun.misc.*;
public class Protector {
private static final String ALGORITHM = "AES";
private static final int ITERATIONS = 2;
private static final byte[] keyValue =
new byte[] { 'T', 'h', 'i', 's', 'I', 's', 'A', 'S', 'e', 'c', 'r', 'e', 't', 'K', 'e', 'y'};
public static String encrypt(String value, String salt) throws Exception {
Key key = generateKey();
Cipher c = Cipher.getInstance(ALGORITHM);
c.init(Cipher.ENCRYPT_MODE, key);
String valueToEnc = null;
String eValue = value;
for (int i = 0; i < ITERATIONS; i++) {
valueToEnc = salt + eValue;
byte[] encValue = c.doFinal(valueToEnc.getBytes());
eValue = new BASE64Encoder().encode(encValue);
}
return eValue;
}
public static String decrypt(String value, String salt) throws Exception {
Key key = generateKey();
Cipher c = Cipher.getInstance(ALGORITHM);
c.init(Cipher.DECRYPT_MODE, key);
String dValue = null;
String valueToDecrypt = value;
for (int i = 0; i < ITERATIONS; i++) {
byte[] decordedValue = new BASE64Decoder().decodeBuffer(valueToDecrypt);
byte[] decValue = c.doFinal(decordedValue);
dValue = new String(decValue).substring(salt.length());
valueToDecrypt = dValue;
}
return dValue;
}
private static Key generateKey() throws Exception {
Key key = new SecretKeySpec(keyValue, ALGORITHM);
// SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(ALGORITHM);
// key = keyFactory.generateSecret(new DESKeySpec(keyValue));
return key;
}
}You need to store the clear Salt with the stored encrypted value since the salt is required at the decrypt operation. We just used a sentence as the 'salt', but you should use a random letters/numbers for that to avoid any dictionary attacks.
package org.kamal.crypto;
public class TestProtector {
public static void main(String[] args) throws Exception {
String password = "mypassword";
String salt = "this is a simple clear salt";
String passwordEnc = Protector.encrypt(password, salt);
String passwordDec = Protector.decrypt(passwordEnc, salt);
System.out.println("Salt Text : " + salt);
System.out.println("Plain Text : " + password);
System.out.println("Encrypted : " + passwordEnc);
System.out.println("Decrypted : " + passwordDec);
}
}
Salt Text : this is a simple clear salt
Plain Text : mypassword
Encrypted : GX8jEr04o6PC+IE+f6DXq+zuRiZ2nsSL+UYxYRh9vK28xt/GrLqnbrP3hkXSW5S3jNgzXkrLSmXm
fwRw+eBMWQJO+8tlSEE9D2Y9qEzowX18s4W81U/D9JL3JX7uJtwp
Decrypted : mypassword
![[Eclipse] Access restriction: Class is not accessible due to restriction on required library](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGWqHB7pxaPjC9UKRJMWuiVgv9sd4oi2zDdwDD10FNa9u558aPgMzByPSi9_pK1ZM5HcjkMuzIaF1iXZQvCMq80jLivRajfEzcWk4J5uIu5H9hI3AbWORSXelibbY19iaoqpUzQQLFYAUm/s72-c/Eclipse+Access+restriction+rules.png)
Hello, my name is Jack Sparrow. I'm a 50 year old self-employed Pirate from the Caribbean.
The examples seem good, but the sun.* packages should not be used. You should have seen the warning when you compiled your examples. I believe the Apache commons has a codec library with Base64 conversion.
ReplyDeleteHi Jose,
ReplyDeleteThanks for your comment. Yes, that's correct. We can go with Apache commons jar instead of the sun specific code.
Hi metaphysicaldeveloper ,
ReplyDeleteThanks for sharing information with us.
may I ask?
ReplyDeletesalt and IV, is it equal?
and is it using CBC?
sorry I'm a newbie
hi,
ReplyDeletethanks a lot. this tutorial is really helpful.
could you please writing a tutorial about RSA algorithm as well in java.
your explanation is really helpful.
You have done a marvelous job! I am really inspired with your work.
ReplyDeletebestr best bestr
ReplyDeletebest
i like this!
ReplyDeleteAccess restriction: The type BASE64Decoder is not accessible due to restriction on required library C:\Program Files\Java\jdk1.6.0_03\jre\lib
ReplyDelete\rt.jar
hey Kamal,
ReplyDeleteI tried your code yesterday, it worked.
Thanks for sharing.
Excellent example thanks for sharing!
ReplyDeleteI think, as a novice speaking, the example shown is great. It is clear, however I wonder what would the apache alternative look like? Again thanks for sharing
ReplyDeletehey what is the package org.kamal.crypto???
ReplyDelete@17: That is the package of these java classes of the examples. Hope that is clear with you now?
ReplyDeleteInstead of 'sun.misc.*', use 'org.apache.commons.codec.binary.Base64' to avoid access restriction or following message while compiling: "BASE64Encoder is Sun proprietary API and may be removed in a future release"
ReplyDeleteteri maa ki kamal bc.... package tera baap upload krega
ReplyDeleteThere is also a javax package that can be used instead of the non-portable sun library:
ReplyDeleteimport javax.xml.bind.DatatypeConverter;
//...
eValue = DatatypeConverter.printBase64Binary(encValue);
//...
byte[] decordedValue = DatatypeConverter.parseBase64Binary(valueToDecrypt)
@20 - Would you mind putting this in English...
ReplyDelete@21 Fadookie - Thanks for pointing this out.
Superb!!
ReplyDeleteThanks a lot for sharing!
Having messed around with encryption examples in java on the web for a few hours getting no where, but intrigued with the many errors, this was the article that gave me some working code to expand on.
ReplyDeleteFrom there I was able to investigate iv vectors and such esoteric stuff.
Thanks, nice simple example, also informative.
Ian
Thanks you very much for your code. It helps a lot.
ReplyDeleteRafael
Newbie question - if the salt is appended to the plaintext, why is it required for decryption? Surely you an still decrypt and what you get is the plaintext concatenated with the salt?
ReplyDeleteAs I say I may just be being really dense here...
Thanks
Annoyamous
Dear sir,
ReplyDeleteI tried to encrypt my password but it shows error on this line BASE64Encoder().encode(encValue); their is a restriction in rt.jar. could u plz tell me what should i do to remove it.
Thanks a lot Kamal.. It worked .. Pls provide comments on each line so that we can understand the meaning of Each Line easily..
ReplyDeleteHow Can I Use your Code for Decrypt a key ?!
ReplyDeleteCan you explain me please :(
kamal sir i get error like this ..
ReplyDeleteabi@abi-laptop:~$ javac TestProtector.java
TestProtector.java:8: cannot find symbol
symbol : variable Protector
location: class org.kama.crypto.TestProtector
String passwordEnc = Protector.encrypt(password, salt);
^
TestProtector.java:9: cannot find symbol
symbol : variable Protector
location: class org.kama.crypto.TestProtector
String passwordDec = Protector.decrypt(passwordEnc, salt);
^
2 errors
am a ubuntu user
ReplyDeleteHi Kamal
ReplyDeleteThnx for this great introduction! I used it to realize a secure communication between an Android Application and a Glassfish Server. Therefore I had to choose another Base64-lib (Base64Coder) which runs on both systems.
Now the issue: If I run it on a simple Java Desktop Machine it works fine, but my both systems are producing different AES-Codes even the sourcecode is the same. I think that the generateKey()-Method returns different values. What Do you think? Is there a possibility to set a static Key?
@32 I am not quite sure what the exact issue is. But as you may be already aware Android runs a Dalvik VM rather than a JRE. So that may be the reason for your issue.
ReplyDeleteCan i have this on C or C++??
ReplyDelete@30 & @31 Seems you have compiled the class inside a package without going through the package.
ReplyDeletePlease have a look at this where I have compiled classes inside packages.
Thank you very much
ReplyDeleteThanks!! Your code has worked for me too. However I am going through another issue where I have to encrypt using Java and decryption will happen using C#. Could you please guide on the decryption part.
ReplyDelete1. Is this possible?
2. There are two inputs required in C# i.e. Key and IV
3. what will be the value of IV even if I assign the same value of Key as used in Java program
Appreciate your help.
ReplyDeleteThanks extremely practical. Will share website with my friends.