How do I decrypt my iOS CryptoKit encrypted value on the web service side?
Similar to this SO question:
CryptoKit in Java
Or this SO question
Can I create my own SymmetricKey that we both know the string of? How can my value be decrypted in Java PhP or .NET? (I understand all these languages and can translate, the app is currently in php)
Apple's code from their playground:
let key = SymmetricKey(size: .bits256) //<--- how to share with web service???
let themeSongPath = Bundle.main.path(forResource: "ThemeSong", ofType: "aif")!
let themeSong = FileManager.default.contents(atPath: themeSongPath)!
// below code is from Apple Playground
let encryptedContentAES = try! AES.GCM.seal(themeSong, using: key).combined
/*:
The client decrypts using the same key, assumed to have been obtained out-of-band.
*/
let sealedBoxAES = try! AES.GCM.SealedBox(combined: encryptedContentAES!)
//HOW DO I DO THIS ON WEB SERVICE SIDE??? either in java or php or .net
let decryptedThemeSongAES = try! AES.GCM.open(sealedBoxAES, using: key)
assert(decryptedThemeSongAES == themeSong)
/*:
You use a sealed box to hold the three outputs of the encryption operation: a nonce, the ciphertext, and a tag.
*/
// The nonce should be unique per encryption operation.
// Some protocols require specific values to be used, such as monotonically increasing counters.
// If none is passed during the during the encryption, CryptoKit randomly generates a safe value for you.
let nonceAES = sealedBoxAES.nonce
// The ciphertext is the encrypted plaintext, and is the same size as the original data.
let ciphertextAES = sealedBoxAES.ciphertext
// The tag provides authentication.
let tagAES = sealedBoxAES.tag
// The combined property holds the collected nonce, ciphertext and tag.
assert(sealedBoxAES.combined == nonceAES + ciphertextAES + tagAES)
Link to Playground
So I guess my real questions was how do I encrypt with cryptokit and decrypt with php (web app.
These 2 links helped me:
Swift CryptoKit and Browser
iOS CryptoKit in Java
SwiftCode:
func encryptAES_GCMCryptoKit()->String {
let newkeyString1 = "I9GiP/cK4YKko8CeNF5F8X6/E6jt0QnV" //has to be 32 bytes for a 256 bit encryption or you will get the error key wrong size
let newKey = SymmetricKey(data: newkeyString1.data(using: .utf8)!)
let mySealedBox = try AES.GCM.seal(userString, using: newKey, nonce: iv)
let iv = AES.GCM.Nonce()
do{
let mySealedBox = try AES.GCM.seal(userString, using: newKey, nonce: iv)
let dataToShare = mySealedBox.combined?.base64EncodedData()
// The combined property holds the collected nonce, ciphertext and tag.
assert(mySealedBox.combined == nonceAES + ciphertextAES + tagAES)
}catch {
print("error \(error)")
}
}
Php code:
function decryptStringAES_GCM($combinedInput='') //64 base encoded combine string
{
$key = "I9GiP/cK4YKko8CeNF5F8X6/E6jt0QnV"; // <- 256 bit key - same key is on the swift side
$combined = base64_decode($combinedInput); //<- $combinedInput will be different every time even for the same value
$tag = substr($combined, -16);
$nonce = substr($combined, 0, 12);
$length = strlen($combined)-16-12; //take out tag and nonce (iv) lengths
$cipherText = substr($combined, 12, $length);
$res_non = openssl_decrypt($cipherText, 'aes-256-gcm', $key, OPENSSL_RAW_DATA| OPENSSL_NO_PADDING, $nonce, $tag);
return $res_non //decrypted string
You can also pass the key back to the server in a separate call like the first link does.
After watching the WWDC video: WWDC Cryptokit 2019 video
At around 29 min 20 seconds they advise you to get the key data from the server initially. So you can just create the key by doing this:
This way the server and the app have the same key. Or if you have control of both sides, you can know what your server key is and create the key with data from a string that you both know.
I am looking for a solution that meets the following requirements:
Let's assume, there are: the Application installed on a computing device and controlling it, Users that use this application, and Maintainers, that provide some support for the application. Application has the Configuration, for example in the file or database. Configuration is updated manually by Maintainers when required, for example weekly. Configuration contains, for example, list of emails, Application sends it's alerts to. Let's assume, that it is not possible for Users to modify the Application in any way. Although, Application is written in Java, so it is easy for Users to copy and debug it. Internally, the Application decrypts the Configuration in the Application's memory, in order to use the Configuration.
Users shall able to view the Configuration from inside the Application. Users shall be unable to change the Configuration, or to use their own (which is basically the same), for example to change any email or remove existing email or add a new one.
Additional requirement, that is not mandatory: It shall not be possible to directly view the Configuration without the Application. I understand it's hardly really possible, so, it shall be at least just difficult, like decryption necessary to view the Configuration without the Application.
Question: how to achieve this and is it possible at all?
Possible solutions I can realize, and attacks:
1) To use some signing. To sign each Configuration with some Digest and to check the Digest in the Application then. Attack: as I understand, App shall calculate the Digest using the public key stored in it. Then the Application shall compare calculated Digest with the one provided with the Configuration. So, attack is simple : Users will modify the Configuration, then debug the Application, put a breakpoint on the place where Application has already calculated Digest for comparing it with the stored one, then Users could dump the calculated Digest and replace provided Digest with this calculated one.
2) To use hybrid encryption. In this case the attack is the same: breakpoint in the place where decrypted symmetric key is available, dump this key, then to use it for the new Configuration encryption.
3) To use asymmetric encryption. Maintainers encrypt Configuration with the public key, then Application decrypts the Configuration with the private key. Attack is simple : Users could dump private key from the Application and derive a new public key, then use it for encryption.
Is there a solution, like "encrypt with the public key, then decrypt with private" for large chunks of data (up to 10 kb), or maybe any other possible way to achieve that?
Thank you
Colleagues,
I have an application that shall receive and store some read-only data. The data shall be available for users to read but not available to change. For example, assume that there are text files with data, that keep some texts available for end users to read but not available for edits. New files shall be periodically received by the application, and shall be available for users in the same read-only mode.
So, local content (for example files content) is accessible by users. Users can copy content from application, save decrypted copies and so on. The only thing I need to prevent, is to replace existing data with any other data, including changing the content or adding new by users. I do not need changes detection, I need to make changes impossible (ok, as hard as possible).
I suppose, that the easiest way to do that, is to encrypt data with some secret key and to include the public key in the app, so app could decrypt and show the data, but without the secret key users would not be able to change the content.
I know, that standard RSA supports just a small data blocks to encrypt, usually slightly less than the key length. (I made tests and found that for RSA 2048 Java throws an exception after 254 bytes) I also read, that it's not a good idea to split source data to chunks and to encrypt these chunks then. I read that it is advised to use symmetric key, like AES, for encryption and decryption, then to encrypt this AES key with RSA key pair.
I see a big (as I suppose) security risk in this scenario - as my app is written in Java, it's quite easy to debug it and to dump the decrypted AES key, then to use it for data modifications, even without any modifications of the application itself.
So, my question is: how to solve this problem and what is considered to be secure to use in such a case?
Thank you
Update:
Of course, users are able to copy the file and to use a copy as they want. The goal is, to disallow users to change data used by application, not a copy of these data. In case of asymmetric encryption it is easy to achieve - I encrypt data with my private key, pass to app, app in runtime decrypts data with it's public key and use. In case someone would like to change data, app would not decrypt the data properly and data will be spoiled and app would fail to work till data will be reverted back.
As #President James K. Polk stated in one of his comments the only solution in my humble opinion is to sign the read-only data and use it only if the data is verified. In your "Possible solution & attack" section you write that the program compares some Digits that can easily been overwritten. Usually the signature is done with the (SHA256-)
hash of the data, but you can sign the complete data without hashing it first and 4 KB of data does not bring performance issues on my desktop Java.
I setup a full working example that simulates the maintainer-side and the app-side and as a little goodie I encrypt the plaintext with AES CBC (key generated out of signature). I know that this mode of encryption is not the "best way" as the data does not need to be kept totally secret but not direct visible it's a good solution.
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.security.*;
import java.util.Arrays;
import java.util.Random;
public class Cyptosystem {
public static void main(String[] args) throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, NoSuchPaddingException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException {
System.out.println("Cryptosystem for \nhttps://stackoverflow.com/questions/62361876/asymmetric-cryptographic-algorithm-for-large-text-data/62398723#62398723");
System.out.println("Warning: this program is experimental and has no proper exception handling");
byte[] plaintext = new byte[4000]; // content to get secured, provided by maintainers
byte[] ciphertext = new byte[0]; // encryped plaintext
byte[] dataForApp = new byte[0]; // initvector | ciphertext
new Random().nextBytes(plaintext);
// generate rsa keypair
System.out.println("generate the RSA keypair");
KeyPairGenerator rsaGenerator = KeyPairGenerator.getInstance("RSA");
SecureRandom random = new SecureRandom();
rsaGenerator.initialize(4096, random);
KeyPair rsaKeyPair = rsaGenerator.generateKeyPair();
PrivateKey rsaPrivateKey = rsaKeyPair.getPrivate(); // for signature
PublicKey rsaPublicKey = rsaKeyPair.getPublic(); // for verification, implemented in app resources
System.out.println("sign & encrypt the plaintext");
// signature done by maintainers
Signature sig = Signature.getInstance("SHA256withRSA");
sig.initSign(rsaPrivateKey);
sig.update(plaintext);
byte[] signature = sig.sign(); // provide to app as byte array, hexstring or base64 as you like
// encrypt plaintext with signature
byte[] initvector = new byte[16];
SecureRandom secureRandom = new SecureRandom();
secureRandom.nextBytes(initvector); // random initvector
// you can use another aes mode for encryption e.g. gcm
// you can use a hmac as key derivation ...
// i'm using sha256 to get a 32 byte long key
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] aeskey = md.digest(signature);
SecretKeySpec keySpec = new SecretKeySpec(aeskey, "AES");
IvParameterSpec ivKeySpec = new IvParameterSpec(initvector);
Cipher aesCipherEnc = Cipher.getInstance("AES/CBC/PKCS5PADDING");
aesCipherEnc.init(Cipher.ENCRYPT_MODE, keySpec, ivKeySpec);
ciphertext = aesCipherEnc.doFinal(plaintext);
// copy iv | ciphertext
dataForApp = new byte[ciphertext.length + 16]; // initvector length 16 byte
System.arraycopy(initvector, 0, dataForApp, 0, initvector.length);
System.arraycopy(ciphertext, 0, dataForApp, initvector.length, ciphertext.length);
// send the dataForApp to the app (as byte array, hex string, base64 as you like
System.out.println("dataForApp length: " + dataForApp.length);
// app side, receive dataForApp & signature, already has public key
byte[] dataForAppApp = dataForApp.clone();
byte[] signatureApp = signature.clone();
System.out.println("decrypt and verify the signature");
// get initvector & ciphertext
byte[] initvectorApp = new byte[16];
byte[] ciphertextApp = new byte[(dataForAppApp.length - 16)];
System.arraycopy(dataForAppApp, 0, initvectorApp, 0, 16);
System.arraycopy(dataForAppApp,16, ciphertextApp, 0, (dataForAppApp.length - 16));
// decrypt data
MessageDigest mdApp = MessageDigest.getInstance("SHA-256");
byte[] aeskeyApp = md.digest(signature);
SecretKeySpec keySpecApp = new SecretKeySpec(aeskeyApp, "AES");
IvParameterSpec ivKeySpecApp = new IvParameterSpec(initvectorApp);
Cipher aesCipherDec = Cipher.getInstance("AES/CBC/PKCS5PADDING");
aesCipherDec.init(Cipher.DECRYPT_MODE, keySpecApp, ivKeySpecApp);
byte[] decrypttext = aesCipherDec.doFinal(ciphertextApp);
System.out.println("plaintext equals decrypttext: " + Arrays.equals(decrypttext, plaintext));
// don't use the ciphertext as the signature is not verified
Signature sigApp = Signature.getInstance("SHA256withRSA");
sigApp.initVerify(rsaPublicKey);
sigApp.update(decrypttext);
boolean signatureVerified = sigApp.verify(signatureApp);
System.out.println("signatureApp verified: " + signatureVerified);
System.out.println("if verified == true we can use the decrypttext");
}
}
Firstly, don't roll your own crypto. Cryptography is very hard, and if you make any mistake, it will have vulnerabilities you could have avoided by using a well-established library to do the heavy lifting. You could, for example, use libsodium. It has many abstractions, and probably has a solution for what you need.
With that out of the way, let's discuss how that would make it safer: the user needs to be able to read the contents, but not edit it. What exactly do you mean by "cannot edit"? Can he not be able to modify anything locally, or just not be able to upload it to your server as if he was authorized to do so?
If the former, encryption can't help you much - you need to be able to decrypt it locally, so an attacker can always dump your process' memory to get to the data - sure it would be hard, but definitely possible. Just not allowing people to edit/save/download in your application would be the strongest guarantee you can get.
If the latter, then using authentication would be the way to go - be that a simple method like HTTP basic authentication with user and password, or signing the file to be uploaded. Dealing with authentication on your application's side would be the more practical way.
Asymmetric encryption is done with the Public Key and the decryption is performed with the Private Key. As the app has to be capable to decrypt the data the app needs to know the Private Key and that's the problem with the common used algorithms, because for RSA or ECIES the Public key can get derived from the Private key. Therefore it's not a real problem to derive the Public key and store changed/appended data after encryption with the Public key.
Second thing is - you did not specify how "large" your text will be - some KB, MB, GB?
Some months ago I tested some "new" algorithms that are "Post quantum safe" and as an example I used the McEliece Fujisaki algorithm that is available with the Bouncy Castle Crypto provider (I used version 1.65, bcprov-jdk15to18-165.jar).
The program creates a 50 MB large byte array that gets encrypted with the Public key and decrypted with the Private key.
At the moment I did not find any Public key deriving methods so you definitely need to know the Private and the Public key.
I did not test larger byte arrays because this parameter depends on the memory of the target system (you need the double memory
as the complete data is captured in ciphertextByte and then again in decryptedtextByte).
Edit June 16th 2020: President James K. Polk programmed a method that easily retrieves a public key from a given private key. The source is available in his GitHub-Repo (https://github.com/james-k-polk/McEliece/blob/master/McElieceRecoverPublicFromPrivate.java) and for later convenience shown at the end of this answer. So everyone that has access to a private McEliece key is been able to encrypt data with the retrieved public key! Thanks to President James for his help.
Here are the outputs on the console:
McEliece Fujisaki Pqc Encryption
key generation
PrivateKey length: 4268 algorithm: McEliece-CCA2 format: PKCS#8
PublicKey length: 103429 algorithm: McEliece-CCA2 format: X.509
initialize cipher for encryption
pt length: 52428800 (50 mb)
ct length: 52429056 (50 mb)
initialize cipher for decryption
dt length: 52428800 (50 mb)
compare plaintext <-> decryptedtext: true
class McElieceFujisakiPqcEncryptionLargeData.java
import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
import org.bouncycastle.crypto.InvalidCipherTextException;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.params.ParametersWithRandom;
import org.bouncycastle.pqc.crypto.mceliece.*;
import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider;
import org.bouncycastle.pqc.jcajce.provider.mceliece.BCMcElieceCCA2PrivateKey;
import org.bouncycastle.pqc.jcajce.provider.mceliece.BCMcElieceCCA2PublicKey;
import java.security.*;
import java.util.Arrays;
import java.util.Random;
public class McElieceFujisakiPqcEncryptionLargeData {
public static void main(String[] args) throws InvalidCipherTextException {
System.out.println("McEliece Fujisaki Pqc Encryption");
if (Security.getProvider("BCPQC") == null) {
Security.addProvider(new BouncyCastlePQCProvider());
// used Bouncy Castle: bcprov-jdk15to18-165.jar
}
System.out.println("key generation");
SecureRandom keyRandom = new SecureRandom();
McElieceCCA2Parameters params = new McElieceCCA2Parameters();
McElieceCCA2KeyPairGenerator mcElieceCCA2KeyGen = new McElieceCCA2KeyPairGenerator();
McElieceCCA2KeyGenerationParameters genParam = new McElieceCCA2KeyGenerationParameters(keyRandom, params);
mcElieceCCA2KeyGen.init(genParam);
AsymmetricCipherKeyPair pair = mcElieceCCA2KeyGen.generateKeyPair();
AsymmetricKeyParameter mcEliecePrivateKey = pair.getPrivate();
AsymmetricKeyParameter mcEliecePublicKey = pair.getPublic();
PrivateKey privateKey = new BCMcElieceCCA2PrivateKey((McElieceCCA2PrivateKeyParameters) pair.getPrivate()); // conversion neccessary only for key data
PublicKey publicKey = new BCMcElieceCCA2PublicKey((McElieceCCA2PublicKeyParameters) pair.getPublic()); // conversion neccessary only for key data
System.out.println("PrivateKey length: " + privateKey.getEncoded().length + " algorithm: " + privateKey.getAlgorithm() + " format: " + privateKey.getFormat());
System.out.println("PublicKey length: " + publicKey.getEncoded().length + " algorithm: " + publicKey.getAlgorithm() + " format: " + publicKey.getFormat());
// generate cipher for encryption
System.out.println("\ninitialize cipher for encryption");
ParametersWithRandom param = new ParametersWithRandom(mcEliecePublicKey, keyRandom);
McElieceFujisakiCipher mcElieceFujisakiDigestCipher = new McElieceFujisakiCipher();
mcElieceFujisakiDigestCipher.init(true, param);
// random plaintext
byte[] plaintext = new byte[52428800]; // 50 mb, 50 * 1024 * 1024
new Random().nextBytes(plaintext);
System.out.println("pt length: " + plaintext.length + " (" + (plaintext.length / (1024 * 1024)) + " mb)");
byte[] ciphertext = mcElieceFujisakiDigestCipher.messageEncrypt(plaintext);
System.out.println("ct length: " + ciphertext.length + " (" + (ciphertext.length / (1024 * 1024)) + " mb)");
System.out.println("\ninitialize cipher for decryption");
mcElieceFujisakiDigestCipher.init(false, mcEliecePrivateKey);
byte[] decryptedtext = mcElieceFujisakiDigestCipher.messageDecrypt(ciphertext);
System.out.println("dt length: " + decryptedtext.length + " (" + (decryptedtext.length / (1024 * 1024)) + " mb)");
System.out.println("\ncompare plaintext<-> decryptedtext: " + Arrays.equals(plaintext, decryptedtext));
}
}
Public key Retrieval class by President James K. Polk, available under MIT-Licence:
package com.github.jameskpolk;
import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
import org.bouncycastle.crypto.params.ParametersWithRandom;
import org.bouncycastle.pqc.crypto.mceliece.*;
import org.bouncycastle.pqc.jcajce.provider.mceliece.BCMcElieceCCA2PrivateKey;
import org.bouncycastle.pqc.jcajce.provider.mceliece.BCMcElieceCCA2PublicKey;
import org.bouncycastle.pqc.math.linearalgebra.*;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
public class McElieceRecoverPublicFromPrivate {
private static final SecureRandom RAND = new SecureRandom();
public static AsymmetricCipherKeyPair generateKeyPair() {
McElieceCCA2KeyPairGenerator kpg = new McElieceCCA2KeyPairGenerator();
McElieceCCA2Parameters params = new McElieceCCA2Parameters();
McElieceCCA2KeyGenerationParameters genParam = new McElieceCCA2KeyGenerationParameters(RAND, params);
kpg.init(genParam);
return kpg.generateKeyPair();
}
public static McElieceCCA2PublicKeyParameters recoverPubFromPriv(McElieceCCA2PrivateKeyParameters priv) {
GF2mField field = priv.getField();
PolynomialGF2mSmallM gp = priv.getGoppaPoly();
GF2Matrix h = GoppaCode.createCanonicalCheckMatrix(field, gp);
Permutation p = priv.getP();
GF2Matrix hp = (GF2Matrix) h.rightMultiply(p);
GF2Matrix sInv = hp.getLeftSubMatrix();
GF2Matrix s = (GF2Matrix) sInv.computeInverse();
GF2Matrix shp = (GF2Matrix)s.rightMultiply(hp);
GF2Matrix m = shp.getRightSubMatrix();
GoppaCode.MaMaPe mmp = new GoppaCode.MaMaPe(sInv, m, p);
GF2Matrix shortH = mmp.getSecondMatrix();
GF2Matrix shortG = (GF2Matrix) shortH.computeTranspose();
// generate public key
return new McElieceCCA2PublicKeyParameters(
priv.getN(), gp.getDegree(), shortG,
priv.getDigest());
}
public static void main(String[] args) throws Exception{
// generate a McEliece key pair
AsymmetricCipherKeyPair bcKeyPair = generateKeyPair();
McElieceCCA2PrivateKeyParameters bcPriv = (McElieceCCA2PrivateKeyParameters) bcKeyPair.getPrivate();
BCMcElieceCCA2PrivateKey priv = new BCMcElieceCCA2PrivateKey(bcPriv);
// get the first public key
McElieceCCA2PublicKeyParameters bcPub1 = (McElieceCCA2PublicKeyParameters) bcKeyPair.getPublic();
BCMcElieceCCA2PublicKey pub1 = new BCMcElieceCCA2PublicKey(bcPub1);
// Now generate a second public key for the private key
McElieceCCA2PublicKeyParameters bcPub2 = recoverPubFromPriv(bcPriv);
BCMcElieceCCA2PublicKey pub2 = new BCMcElieceCCA2PublicKey(bcPub2);
// print some info about sizes
System.out.printf("Size of encrypted messages in bits(bytes): %d(%d)\n",
priv.getEncoded().length, priv.getEncoded().length / 8);
System.out.printf("private key length: %d\n", bcPriv.getK());
System.out.printf("public key1 length: %d\n", pub1.getEncoded().length);
System.out.printf("public key2 length: %d\n", pub2.getEncoded().length);
// now encrypt different messages with each public key.
String message1 = "Deposits should be made to account # 3.1415929";
String message2 = "Deposits should be made to account # 2.71828";
ParametersWithRandom params1 = new ParametersWithRandom(bcPub1, RAND);
ParametersWithRandom params2 = new ParametersWithRandom(bcPub2, RAND);
McElieceFujisakiCipher mcElieceFujisakiDigestCipher1 = new McElieceFujisakiCipher();
McElieceFujisakiCipher mcElieceFujisakiDigestCipher2 = new McElieceFujisakiCipher();
mcElieceFujisakiDigestCipher1.init(true, params1);
mcElieceFujisakiDigestCipher2.init(true, params2);
byte[] ciphertext1 = mcElieceFujisakiDigestCipher1.messageEncrypt(message1.getBytes(StandardCharsets.UTF_8));
byte[] ciphertext2 = mcElieceFujisakiDigestCipher2.messageEncrypt(message2.getBytes(StandardCharsets.UTF_8));
System.out.println("ct1 length: " + ciphertext1.length + " (" + (ciphertext1.length / (1024 * 1024)) + " mb)");
System.out.println("ct2 length: " + ciphertext2.length + " (" + (ciphertext2.length / (1024 * 1024)) + " mb)");
mcElieceFujisakiDigestCipher1.init(false, bcPriv);
mcElieceFujisakiDigestCipher2.init(false, bcPriv);
byte[] decryptedtext1 = mcElieceFujisakiDigestCipher1.messageDecrypt(ciphertext1);
byte[] decryptedtext2 = mcElieceFujisakiDigestCipher2.messageDecrypt(ciphertext2);
System.out.printf("Decrypted message 1: %s\n", new String(decryptedtext1, StandardCharsets.UTF_8));
System.out.printf("Decrypted message 2: %s\n", new String(decryptedtext2, StandardCharsets.UTF_8));
}
}
I know, that standard RSA supports just a small data blocks to encrypt,
That's why we use a hybrid cryptosystem. Data are encrypted using a symmetric cipher (data key), and the symmetric data key is encrypted using an asymmetric cipher.
I do not need changes detection, I need to make changes impossible (ok, as hard as possible).
If you are unable to enforce any read-only input/filesystem, then detecting changes is the best you can do. Either it's failed decryption or signature.
Actually to ensure data integrity I'd really use signing, not pure encryption. I see you don't want that, but at the end it will there. Some ciphers / cipher modes are malleable - data can be changed even when encrypted and without any authentication (mac, signature) the decryption is valid and you won't be able to detect the integrity failure.
If you would just rely on application to detect that data are corrupted after failed decryption, you are creating a perfect decryption oracle (breaking security)
I suppose, that the easiest way to do that, is to encrypt data with some secret key and to include the public key in the app, so app could decrypt and show the data, but without the secret key users would not be able to change the content.
Anything hardcoded in your app you can consider as revealed/public. You correctly identified the risk. If you have a dedicated user, nothing prevents the user to change the key in the app and pass invalid data. So - for anything that runs at the client, you can make the integrity stronger, but not perfect. At the end - you have to make some assumptions about adversary's abilities.
I encrypt data with my private key, pass to app, app in runtime decrypts data with it's public key and
In theory (mathematically) you can do that, but most of the current libraries will not let you use the key pairs wrong way (private key is intended for decryption or signing, public for encryption or validation). If you want to code such a solution yourself, you are in risk of creating weaknesses you may not be aware of (proper padding, timing,..)
I believe there are even some weaknesses in the scheme (encrypting using the private key), but I cannot recall details, there are people with deeper knowledge in the topic (e. g. James Polk from comments)
Edit:
Examples to create a signature or MAC : https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html
btw - using aes-gcm the Java Cipher implementation automatically appends the mac tag to the end of the ciphertext
An interesting question. As far as I can see from your question, the data itself is not secret. Your problem is that the user should not be able to change the data (or that you should be able to detect that he or she has changed it). In this case, a hash function (including possibly a cryptographic hash function) might well be a better approach. See https://en.wikipedia.org/wiki/Hash_function and https://en.wikipedia.org/wiki/Cryptographic_hash_function. If you use a hash function, then you can always detect whether the user has tried to change the data.
The cryptographic hash functions are one-way, so that you do not need to store any key in your program.
I am trying to implement Diffie-Hellman key exchange in Java, but I'm having a hard time understanding the specification:
Complete the Diffie-Hellman key exchange process as a local mechanism
according to JWA (RFC 7518) in Direct Key Agreement mode using curve
P-256, dT and QC to produce a pair of CEKs (one for each direction)
which are identified by Transaction ID. The parameter values supported
in this version of the specification are:
“alg”: ECDH-ES
“apv”: SDK Reference Number
“epk”: QC, in JSON Web Key (JWK) format
{“kty”:”EC” “crv”:“P-256”}
All other parameters: not present
CEK: “kty”:oct - 256 bits
Create a JSON object of the following data as the JWS payload to be
signed:
{“MyPublicKey”: “QT”, “SDKPublicKey”:” QC”}
Generate a digital signature of the full JSON object according to JWS
(RFC 7515) using JWS Compact Serialization. The parameter values
supported in this version of the specification are:
“alg”: PS256 or ES256
“x5c”: X.5C v3: Cert(MyPb) plus optionally chaining certificates
From my understanding, ECDH will produce a secret key. After sharing my ephemeral public key (QT), the SDK produces the same secret key, so we can later exchange JWE messages encrypted with the same secret key.
The JSON {“MyPublicKey”: “QT”, “SDKPublicKey”:” QC”} will be signed and sent, but I do not understand how I will use apv and epk since these header params are used in JWE and not in the first JWS to be shared.
On the same specification, they talk about these JWE messages, but they do not have these apv and epk parameters.
Encrypt the JSON object according to JWE (RFC 7516) using the same
“enc” algorithm used by the SDK, the CEK obtained identified by “kid”
and JWE Compact Serialization. The parameter values supported in this
version of the specification are:
“alg”: dir
“enc”: either A128CBC-HS256 or A128GCM
“kid”: Transaction ID
All other parameters: not present
I also read the example in RFC 7518 where I can see the header params apv and epk being used but I'm not sure which header params, JWE's or JWS's ?
Any thought on how this could be implemented using nimbus-jose-jwt or any other java library would be really helpful. Thanks
Both apv (Agreement PartyVInfo) and epk (Ephemeral Public Key) are optional, so they can be used in multiple ways. You can use apv to reflect SDK version for example. They are added to the JWE header.
You can read more about JWE in Nimbus here
An example using Nimbus JOSE would be:
import java.net.URI;
import java.net.URISyntaxException;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import com.nimbusds.jose.*;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.KeyOperation;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jose.util.Base64URL;
public class Security {
public void generateJWE() throws JOSEException, URISyntaxException {
JWEHeader jweHeader = buildJWEHeader(new Base64URL("202333517"), buildECKey());
JWEObject jweObject = new JWEObject(jweHeader, new Payload("Hello World!"));
}
private JWEHeader buildJWEHeader(Base64URL apv, ECKey epk) {
JWEHeader.Builder jweBuilder = new JWEHeader.Builder(JWEAlgorithm.ECDH_ES, EncryptionMethod.A128GCM);
jweBuilder.agreementPartyVInfo(apv);
jweBuilder.ephemeralPublicKey(epk);
return jweBuilder.build();
}
private ECKey buildECKey() throws URISyntaxException {
Set<KeyOperation> keyOperations = new HashSet<>();
keyOperations.add(KeyOperation.ENCRYPT);
String transactionID = "73024831";
URI x5u = new URI("https//website.certificate");
KeyStore keystore = null; //initialize it
List<Base64> x5c = new ArrayList<>();
return new ECKey(Curve.P_256, new Base64URL("x"), new Base64URL("y"), KeyUse.ENCRYPTION, keyOperations, Algorithm.NONE, transactionID, x5u, new Base64URL("x5t"), new Base64URL("x5t256"), x5c, keystore);
}
}
Instead of EncryptionMethod.A128GCM you can use EncryptionMethod.A128CBC-HS256 as in your specification. apv and epk are added to JWEHeader inside builder.
Other parameters can be chosen in constructors of JWEHeader.Builder and ECKey. I used ECDH-ES algorithm, A128GCM encryption method, P-256 curve (elliptic curve is default in ECKey generation),
transaction ID is a string. I chose other parameters without any clear pattern. Initialization of KeyStore would be too broad for the example. Encryption is only one thing you can do with JWE, among signature and others.
Nimbus (as well as Jose4j) is not the best choice for implementing the specification (I guess it's 3D secure 2.x.x).
These libraries do not return content encrypion key but use it to encrypt or decrypt messages as per JWE spec.
I found that Apache CXF Jose library does its job well as a JWE/JWS/JWK implementation. Except generating ephemeral key pairs. But it's can easily be done with Bouncy Castle:
Security.addProvider(new BouncyCastleProvider());
ECGenParameterSpec ecGenSpec = new ECGenParameterSpec(JsonWebKey.EC_CURVE_P256);
KeyPairGenerator g = KeyPairGenerator.getInstance(ALGORITHM_SIGNATURE_EC, "BC");
g.initialize(ecGenSpec, new SecureRandom());
KeyPair keyPair = g.generateKeyPair();
Content encrypion key can be produced with this code:
byte[] cek = JweUtils.getECDHKey(privateKey, publicKey, null, SDKReferenceNumber, "", 256);
And used to encrypt messages getting JWE compact representation:
JweEncryption jweEncryption = JweUtils.getDirectKeyJweEncryption(cek, contentAlgorithm);
JweHeaders head = new JweHeaders();
head.setHeader(JoseConstants.HEADER_KEY_ID, keyId);
String encrypted = jweEncryption.encrypt(contentToEncrypt.getBytes(StandardCharsets.UTF_8), head);
Or decrypt:
JweCompactConsumer compactConsumer = new JweCompactConsumer(encrypted);
JweHeaders head = compactConsumer.getJweHeaders();
JweDecryption jweDecryption = JweUtils.getDirectKeyJweDecryption(cek, head.getContentEncryptionAlgorithm());
JweDecryptionOutput out = jweDecryption.decrypt(encrypted);
String decrypted = out.getContentText();
I able to generate the Secret Key for A128CBC-HS256. However still not succeed in A128GCM. Adding the working sample for A128CBC-HS256 with help nimbus-jose library. This below code is only for key generation.
Please also note that I override the nimbus-jose classes for my usage. Hope it helps.
private void generateSHA256SecretKey(AREQ areq, ECKey sdkPubKey, KeyPair acsKeyPair) throws Exception {
// Step 4 - Perform KeyAgreement and derive SecretKey
SecretKey Z = CustomECDH.deriveSharedSecret(sdkPubKey.toECPublicKey(), (ECPrivateKey)acsKeyPair.getPrivate(), null);
CustomConcatKDF concatKDF = new CustomConcatKDF("SHA-256");
String algIdString = "";
String partyVInfoString = areq.getSdkReferenceNumber();
int keylength = 256; //A128CBC-HS256
byte[] algID = CustomConcatKDF.encodeDataWithLength(algIdString.getBytes(StandardCharsets.UTF_8));
byte[] partyUInfo = CustomConcatKDF.encodeDataWithLength(new byte[0]);
byte[] partyVInfo = CustomConcatKDF.encodeDataWithLength(partyVInfoString.getBytes(StandardCharsets.UTF_8));
byte[] suppPubInfo = CustomConcatKDF.encodeIntData(keylength);
byte[] suppPrivInfo = CustomConcatKDF.encodeNoData();
SecretKey derivedKey = concatKDF.deriveKey(
Z,
keylength,
algID,
partyUInfo,
partyVInfo,
suppPubInfo,
suppPrivInfo);
System.out.println("Generated SHA256 DerivedKey : "+SecureUtils.bytesToHex(derivedKey.getEncoded()));
}
I am making an android application that communicates with a server. I'm using token based authentication on my server, and to pass information to the client from the server, I am using asymmetric encryption.
This is how the process goes
Generated public and private key already exists before hand
Public key is used to encrypt information, and then passed from server to client
App uses private key to decrypt information
However, I do not know how to securely store the private key in the keystore. If I store it during runtime, the key will be out in the code, and if I send the private key during the REST connection, then there's no point of having the encryption because a hacker can find both keys. Can anyone help me on creating the best possible solution? THX in advance!
You can store your private key in shared preferences, but encrypted with generated secret key, which will be stored in Android KeyStore, which will give much more security in storing the private key.
Please see example below in Kotlin.
First, you need to generate secret key:
fun generateSecretKey(): SecretKey {
val keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore")
val spec = KeyGenParameterSpec
.Builder(secretKeyAlias, KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT)
.setBlockModes(KeyProperties.BLOCK_MODE_GCM)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.build()
keyGenerator.init(spec)
return keyGenerator.generateKey()
}
It will be automatically stored in the KeyStore since we're mentioning it as a provider when getting instance of a KeyGenerator.
Later, when you will need to obtain secret key again you can do it like this:
fun getSecretKey(): SecretKey {
val keyStore = KeyStore.getInstance("AndroidKeyStore").apply { load(null) }
val secretKeyEntry = keyStore.getEntry(secretKeyAlias, null) as KeyStore.SecretKeyEntry
return secretKeyEntry.secretKey
}
Or you can always use getSecretKey() method, which will generate new one if the obtained from the KeyStore is null by changing last line to:
return secretKeyEntry.secretKey ?: generateSecretKey()
When SecretKey is obtained you can proceed with encryption:
fun encrypt(data: String): ByteArray? {
val cipher = Cipher.getInstance("AES/GCM/NoPadding")
cipher.init(Cipher.ENCRYPT_MODE, getSecretKey())
iv = cipher.iv
return cipher.doFinal(data.toByteArray())
}
Here, method encrypt will return a ByteArray that you can store in the SharedPreferences.
NOTE: that you should also store initialization vector (IV). Here it is stored to the iv property.
To decrypt stored data, use this method:
fun decrypt(encrypted: ByteArray): String {
val cipher = Cipher.getInstance("AES/GCM/NoPadding")
val spec = GCMParameterSpec(128, iv)
cipher.init(Cipher.DECRYPT_MODE, getSecretKey(), spec)
val decoded = cipher.doFinal(encrypted)
return String(decoded, Charsets.UTF_8)
}
Here, you must pass store initialization vector (IV) to GCMParameterSpec.
Hope it will helps someone.
I've been strugling for a while now by trying to complete next goal :
I have a "Reset password" page that supposed to send new password to the server. I would like to hash it with salt, so I could save it in DB eventually. On Server side I have next methods that creates password hash :
public static String makeHash(String password, String salt) {
try {
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(password.getBytes("UTF-8"));
byte byteData[] = md.digest(makeHash(salt.toLowerCase()));
return Base64.getEncoder().encodeToString(byteData);
} catch (NoSuchAlgorithmException | UnsupportedEncodingException e) {
log.error("Unable to make hash for pass. No hashing.", e);
}
return password;
}
private static byte[] makeHash(String val) throws NoSuchAlgorithmException, UnsupportedEncodingException {
return MessageDigest.getInstance("SHA-256").digest(val.getBytes("UTF-8"));
}
I tried several Javascript libraries - crypto, crypto-js, SJCL , but couldn't manage to create same password as Java methods generates. For example, last working try out was :
var crypto = require('crypto');
crypto.pbkdf2('123', 'test#gmail.com', 1000, 60, 'sha256', function(err, key) {
if (err)
throw err;
console.log(key.toString('Base64')); // 'c5e478d...1469e50'
});
And it generated me this hash - Qr2lzotlRWj7BeJeFooMRj64auMPTb3PRhwLmfNcl4DCVAlFFibgOqZiyExZNO5i/icAUYoMjy73jSTd, while Java gives me - /pyQf3JCj5XoczfsYJ4LUb+y0DONGMl/AFzLiBTo8LA=.
I cannot change backend, since it running already for some time, so I was hoping that maybe someone could help me out with this.
You have to use the same algorithm on both sides. In Java you're using simply SHA-256 and in node you're using PBKDF2 with SHA-256.
Node.js' crypto module provides the createHash(algorithm) function. Where you can specify SHA-256 directly. PBKDF2 is an algorithm that only uses different hashing functions under the hood.
If you want hash passwords, then it is much safer to use PBKDF2 with a lot of iterations (> 86,000) and a random salt that you store alongside the password hash.
Java has support for PBKDF2 in its standard library.
If you really want to use SHA-256 directly and I strongly advise against it, you can use the following code:
var crypto = require('crypto');
var key = "123";
var salt = "test#gmail.com";
key = crypto.createHash('sha256')
.update(key, "utf8")
.update(makeHash(salt))
.digest("base64");
console.log(key);
function makeHash(val) {
return crypto.createHash('sha256').update(val, "utf8").digest();
}
Output:
/pyQf3JCj5XoczfsYJ4LUb+y0DONGMl/AFzLiBTo8LA=
Note that Hash.digest() takes an optional output encoding and not additional data.