I'm not a sercurity or a crypto expert. I want to perfrom encryption on my client to server communication in a RESTful api system.
Currently I'm using javax crypto and initializing the Ciper for AES with AES/GCM/PKCS5Padding to encrypt the data and RSA with RSA/ECB/OAEPWithSHA-256AndMGF1Padding to encrypt the iV and Symmetric key with a public key.
This works well for me.
I did some more digging on other encryption libraries and found Libsodium or NaCl.
I tried searching for any comparision between these and I'm not able to find any. Is it because I'm trying compare apples to oranges?
Should I continue with the javax crypto or should I switch to sodium? What benifits does sodium give over the default javax crypto?
Related
I'm automating a Jenkins deployment which involves using the Google Login plugin using Ansible.
This plugin encrypts the value of the secret key at rest.
After some digging I found the relevant code which encrypts secrets in Jenkins. The code uses an AES cypher and
custom serialization which appears to be base64 in a very specific format.
The encryption key is stored in a CredentialsStore (see here and here).
I'd like to provision the encryption key and the Google Apps secret key using Ansible but I'm not sure how exactly to do so.
I can write a Python module that encrypts the Google Apps secret key the same way Jenkins does but I don't understand how to read or write to the DefaultCredentialStore.
How do I store my encryption key without using the Java code?
Is there a less tedious way to do this automatically?
I am building my website in which I am facing problems with implementing encryption. I am developing it using RESTful web services in java.
I found GibberishAES API for encryption from javascript. The encrypted message now goes to web service, but I have no clue how to decrypt it in the (java) web service. I know GibberishAES is not available in java, but is there any roundabout way?
Or, are there any encryption APIs which are supported for both Java and Javascript?
I also have the issue with (symmetric) key distribution for the website. It will have 100's of client (machines, in public network) and I don't know how to communicate the unique key for a particular machine to it.
Please help me with pointers in this regard.
GibberishAES implements AES encryption. AES is a symmetric cipher, that means that both parties must know a shared key. The problem of distributing the key is not trivial, and there exist well-known algorithms for doing so.
As it was mentioned in some comments, SSL already solves that problem, because it negotiates the generation of a distributed secret key, that is later used for encryption. If for any reason you cannot use SSL, you should adopt some mechanism for secure generation or transport of the secret key. For instance, you could generate a ephimeral RSA key pair in the client, send the public key to the server, and have the server return the secret (AES) key in wrapped form.
I am trying to make a PHP script to interact a with a Java application. They will share some information, so I would like to encrypt the data that is passed between them to make it as secure as possible, on top of having an SSL certificate. However, because my website is only on a shared server at JustHost, as far as I am aware I can not use the 'mcrypt' PHP module, so I'm not sure how to do it so that both my Java application and the PHP script can encrypt data being sent and decrypt data being received!
Your SSL conversation between Java and PHP will protect it your data while it's in transit. Should you properly protect the private key with a strong password (10+ symbols) and make sure your algorithms strong no one will be able to break it by snooping on the conversation.
You won't get any extra protection by encrypting the data before sending it over the SSL conversation. And you actually might be weakening your security because in order for you to encrypt data you'll have to share some key should you choose symmetric encryption. And, by trading secret keys you're undoing much of the protection SSL gives you because the huge benefit of SSL is the fact we can encrypt data without agreeing on a secret key. If I were trying to get at your encrypted text I'd attack your client because it's easier to find your symmetric encryption key than it is to break SSL. And while you could use asymmetric encryption you'll be basically re-inventing SSL.
I would focus on making sure your SSL conversation is strong. Using only the strongest symmetric encryption: TripleDES, IDEA, AES if your server supports it. Take out the weaker algorithms so conversations can't use the weaker encryption. Generate 1024+ public/private key pairs. That might not always be easy on your shared server, but your Java application could only choose to use TripleDES, IDEA, and AES.
Make sure you validate the server's certificate on the client side so you ensure you aren't talking to a false service. That basically means taking the server's certificate and adding it to the keystore used on the client. If that's Java you can use keytool to import a certificate and use that keystore as your TrustManager/KeyManager in your SSL conversation.
If you want to encrypt the data after it's gone over the SSL conversation then you can encrypt/decrypt on the server only. But, you still have a key management problem. If you encrypt/decrypt how do you plan on securing the secret key on the server? That's always the ugly problem that doesn't have a simple answer.
I've got a flash client that communicates with a server. The server-side code is in java. I'd like to be able to encrypt the communication, so it has to be an algorithm that has libraries for both as3 & java.
Speed if more important than the security of the encryption, and ideally it would use asymmetric key encryption.
AES and Blowfish seem like they would work from what I've seen. But both use symmetric keys.
Any ideas?
It seems like opening an HTTPS connection would be the simplest way to do this.
AS3Crypto is a port of the popular Java/C# library BouncyCastle. That works just great.
I'm going to be working with encrypting data shortly here. I've chosen to do it using asynchronous RSA encryption.
I'll be using AS3Crypto's RSA encryption client-side with the public key.
Server-side I'll be using JAVA's built-in RSA cryptography to decrypt data with the private key.
A friend and me are working on a Java Game with a client/server - architecture.
It is working well, but i ran into a problem.
We use TCP Sockets for networking between server and client.
Our network protocol isnt encrypted and can just be read by anone who bothers to watch the stream.
We thought about how we could apply some kind of cryptography to it to hide login information and prevent people to write their own clients. But basic things like adding/substracting bytes seems pretty easy to figure out.
What are the usual methods used to encrypt network communication for games( or at least game login information )? And having written the server and client in java, are there any useful java libraries?
Use public-key encryption (RSA for example) and implement something like the SSL Handshake, or of course use SSL - here you can see an example.
Here's a simplified sequence:
the server sends his public RSA key to the client
the client generates a symmetric key (using AES for example)
the client encrypts the symmetric key with the server's public key and sends it to the server
the server decrypts the received symmetric key
Now both the client and the server have a key which no one eavesdropping can know. Then use that key to encrypt all data.
SSL(Secure Sockets Layer) is popular to handle this kind of problem.
Look at the javax.crypto library or bouncyCastle.
Both provide cryptographic primitives, also for encryption. Depending on how secure you want to have it, you can use symmetric or assymetric crypto. However, also think about key management in advance. Where do you store your private/shared key.
If it is a client-server, the best way would be to use assymetric crypto (i.e. RSA, Elliptic Curve) and give every user a certificate signed with the key of the server (note, this is TLS (formerly called SSL)). This way you can check if the user logging on is authentic. However, you dont prevent custom clients since the user has to have everyone can just copy the certificate.
In practice, it is quite hard to prevent custom clients.
You can use Ciphers. Some more examples here and here