There are many encryption algorithms and most of them require IV and KEY and Plaintext.
In Android, we have to add 3 of them to our code. On the other side, Android is open source and everyone can extract APK files and access the IV and the KEY , this doesn't make it secure.
Which algorithms are better and unbreakble that can be applied in Java and PHP. I'm working on a Project similar to Instagram/Facebook/Twitter, Security is the first problem for such applications.
Let's start with basic stuff:
never store an IV/KEY in the source code or unencrypted within the app filesystem
your might want to look into the Android KeyStore and it's supported operations
you might need to depend upon the existence of a hardware keystore (so that users cannot modify locally stored keys)
For more information I would recommend to look into the OWASP MSTG -- Android Data Store and Android Cryptographic APIs might be interesting to you
Related
I am looking for a USB Crypto token that I can use to encrypt and decrypt files. Symmetric encryption is all that's really required, but I need to be able to set the encryption key.
It needs to have an open API so I can talk to it directly from my programs. A Java interface would be great, but I can write my own JNI if needed. It also needs to work with Mac OSX.
I've Googled quite a bit for a solution. There are many different crypto keys out there, but many of their business models are not very open and they require you to fill out long forms and be contacted by salespeople before even giving you a price.
I'm working on a mobile App which is to be build in Android (Native) , iOS (Native) & PhoneGap. For security I'm already using SSL, but as per client requirement another encryption is to be implemented in all webservices( Mobile end and Server) . But I'm unable to implement encryption which works well in Java, Objective-C and JavaScript.
I could manage to get AES-256 working in all the platforms , but it works very slow in Android. Library used for the same was RNCryptor.
Can you please suggest me any Encryption/Decryption library which is compatible along at least Java & Objective-C.
AES-256 a correct choice and should not be a performance problem. Most cpu chips include special instructions to allow faster implementations, Apple ARM chips do as do may Intel chips. If you are going to claim that encryption is slow for an implementation you need to supply test times for all platforms, generate them and post them.
Obtaining the same results from encryption, AES-256 in this case, is simply supplying the exact same inputs with the exact required lengths and exact same options--that is all.
Providing secure encryption is more than just a key, data and an AES-256 library. There needs to be an iv, if the key is week it needs to be extended, passwords are generally extended with PBKDF2 or it's like. These require more information to be added to the encrypted data that is passed. There is also data padding such as PKCS#7. RNCryptor handles all this but for interoperability requires the other-end to use the same scheme. Then there is the issue of securing the encryption key and exchanging it with the other-side.
First of all, I have googled how to secure network traffic and I have found a lot of answers... Only the issue is that I've found too many examples and methods and the majority of the them are very old (> 10 years), so it worries me a little bit.
What I want to know is how I could encrypt network traffic between a server and a client.
I have had a bachelor degree class about it and from what I understand, I need a private-public key pair to encrypt and decrypt. However I may have missed some important notion, because I've got this question currently about that: How can I send the key over the network when that key is the key with which you need to secure the network? Do I even have to deal with it, or are there built-in applications of secure networking in Java?
What I also have seen in class was that the instructors needed to manually verify some key codes to be 100% sure that some person was sending a message (manually as in looking at someone else's screen and comparing the keys to see if they were indeed the same).
I am using sockets currently, and I am not even sure if networking can even be done differently in Java. I would like to know how I could achieve secure networking.
Any links to relevant material are appreciated, preferably I want to know the best solution if there happens to be any. If the link/article is dated, then please justify that it can still be used after 5 or 10 years.
Regards.
Use Transport Layer Security (e.g. the OpenSSL library).
If you want to roll your own security, then use AES to encrypt the data; Java has built-in support or AES, or else you can use the Bouncycastle library. Then use RSA to encrypt the AES key, and send the encrypted key and the AES-encrypted data from the server to the client; the client decrypts the key, then uses the key to decrypt the AES-encrypted data.
Java AES Tutorial, Java RSA Tutorial
I'm currently trying to provide a transparent encryption/decryption layer to files stored on an Android device. I need random access to each of these files (necessary for search algorithm). The layer needs to provide either a RandomAccessFile or a FileChannel to the rest of the program.
My (very) basic understanding of crypto suggests that certain cipher modes like ECB, CTR, XEX, and XTR could facilitate random access, but I'd rather use somebody else's tool before I reinvent the wheel. Much better to leave crypto to the experts.
An ideal solution would be an encrypted disk image that I could access using a Java library, but I haven't found anything that I could use for Android.
Is there a way for me to provide random access to encrypted files? This feels like something that a lot of people would want in their apps!
Random read access is easy: use CTR, but make sure you have correct key and nonce usage. Random write access could be just as easy, although with CTR you are leaking information in time if you change any block. So if an attacker simply gets a single view of one file then you would be OK, otherwise you directly leak information about the plain text.
You've got a specific usage scenario. If there are any libs that do this for you I haven't seen them yet. Furthermore, the key management is usually application specific too. I am afraid you will have to deal with threat scenarios.
ECB should not be used for related information such as strings or files. XEX (or XTS for that matter) is normally not available in Java crypto libraries (such as the Oracle JCE or Bouncy).
I have some text that is in a file. I want to encrypt this file so that an end user can not read or write to this file, but the application can read it. There can be a stored secret in the application because it is being secured in another way.
What type of Encryption support these requirements?
I was thinking of AES. I do not know much about encryption, and was looking for a starting point. An algorithm or a framework suggestion would be great.
One last note, the code is in Java running on a Windows and Linux environment.
Since you've tagged the post as "Java" - I'd recommend looking at the "Java Cryptography Extension" (JCE). Since J2SE 1.4 it's been bundled with the SDK and JRE.
And of course, a requisite example and overview of using AES in the JCE.
If the application can read it, the application has a key in it. And if the application has a key in it, a sufficiently energetic user can find that key and use it for themselves. Or spy on memory and see the decrypted version.
AES or RSA would be just fine. An important thing to notice though is that once your program decrypts data, a reverse engineer would easily recover the plaintext without any knowledge of the key or algorithm of encryption.