There are many encryption algorithms and most of them require IV and KEY and Plaintext.
In Android, we have to add 3 of them to our code. On the other side, Android is open source and everyone can extract APK files and access the IV and the KEY , this doesn't make it secure.
Which algorithms are better and unbreakble that can be applied in Java and PHP. I'm working on a Project similar to Instagram/Facebook/Twitter, Security is the first problem for such applications.
Let's start with basic stuff:
never store an IV/KEY in the source code or unencrypted within the app filesystem
your might want to look into the Android KeyStore and it's supported operations
you might need to depend upon the existence of a hardware keystore (so that users cannot modify locally stored keys)
For more information I would recommend to look into the OWASP MSTG -- Android Data Store and Android Cryptographic APIs might be interesting to you
I'm working on a mobile App which is to be build in Android (Native) , iOS (Native) & PhoneGap. For security I'm already using SSL, but as per client requirement another encryption is to be implemented in all webservices( Mobile end and Server) . But I'm unable to implement encryption which works well in Java, Objective-C and JavaScript.
I could manage to get AES-256 working in all the platforms , but it works very slow in Android. Library used for the same was RNCryptor.
Can you please suggest me any Encryption/Decryption library which is compatible along at least Java & Objective-C.
AES-256 a correct choice and should not be a performance problem. Most cpu chips include special instructions to allow faster implementations, Apple ARM chips do as do may Intel chips. If you are going to claim that encryption is slow for an implementation you need to supply test times for all platforms, generate them and post them.
Obtaining the same results from encryption, AES-256 in this case, is simply supplying the exact same inputs with the exact required lengths and exact same options--that is all.
Providing secure encryption is more than just a key, data and an AES-256 library. There needs to be an iv, if the key is week it needs to be extended, passwords are generally extended with PBKDF2 or it's like. These require more information to be added to the encrypted data that is passed. There is also data padding such as PKCS#7. RNCryptor handles all this but for interoperability requires the other-end to use the same scheme. Then there is the issue of securing the encryption key and exchanging it with the other-side.
First of all, I have googled how to secure network traffic and I have found a lot of answers... Only the issue is that I've found too many examples and methods and the majority of the them are very old (> 10 years), so it worries me a little bit.
What I want to know is how I could encrypt network traffic between a server and a client.
I have had a bachelor degree class about it and from what I understand, I need a private-public key pair to encrypt and decrypt. However I may have missed some important notion, because I've got this question currently about that: How can I send the key over the network when that key is the key with which you need to secure the network? Do I even have to deal with it, or are there built-in applications of secure networking in Java?
What I also have seen in class was that the instructors needed to manually verify some key codes to be 100% sure that some person was sending a message (manually as in looking at someone else's screen and comparing the keys to see if they were indeed the same).
I am using sockets currently, and I am not even sure if networking can even be done differently in Java. I would like to know how I could achieve secure networking.
Any links to relevant material are appreciated, preferably I want to know the best solution if there happens to be any. If the link/article is dated, then please justify that it can still be used after 5 or 10 years.
Regards.
Use Transport Layer Security (e.g. the OpenSSL library).
If you want to roll your own security, then use AES to encrypt the data; Java has built-in support or AES, or else you can use the Bouncycastle library. Then use RSA to encrypt the AES key, and send the encrypted key and the AES-encrypted data from the server to the client; the client decrypts the key, then uses the key to decrypt the AES-encrypted data.
Java AES Tutorial, Java RSA Tutorial
I have some text that is in a file. I want to encrypt this file so that an end user can not read or write to this file, but the application can read it. There can be a stored secret in the application because it is being secured in another way.
What type of Encryption support these requirements?
I was thinking of AES. I do not know much about encryption, and was looking for a starting point. An algorithm or a framework suggestion would be great.
One last note, the code is in Java running on a Windows and Linux environment.
Since you've tagged the post as "Java" - I'd recommend looking at the "Java Cryptography Extension" (JCE). Since J2SE 1.4 it's been bundled with the SDK and JRE.
And of course, a requisite example and overview of using AES in the JCE.
If the application can read it, the application has a key in it. And if the application has a key in it, a sufficiently energetic user can find that key and use it for themselves. Or spy on memory and see the decrypted version.
AES or RSA would be just fine. An important thing to notice though is that once your program decrypts data, a reverse engineer would easily recover the plaintext without any knowledge of the key or algorithm of encryption.
I need to encrypt an IP address, save it to file, and then be able to retrieve it later. I was wondering if anyone could suggest a good way to do this. Just the name of some encryption algorithms would be fine or links to resources.
Ive done my research and have come up with a few solutions. Just wanted to make sure there wasnt something I missed. If it helps at all, the application is written in java. We do use JNI for some native functions, but would prefer to stay away from JNI.
Thanks
EDIT:
Its a client/server model. The server will send the encrypted ip address to the client. The client will decrypt it, and then connect to that address.The data will be just a string. Its IPv4.
As other answers have already indicated, AES is your best bet for this problem. However, as is always the case with encryption, the real problem is not which algorithm to choose; it is how to keep your key a secret. If it is simply a string in your source code, it would take very little work for someone to figure that key out and use it to decrypt your file.
Assuming that you want arbitrary encryption on the client then you have a serious key management problem. It is pretty trivial to reverse engineer client code to obtain an embedded encryption key. And you need to consider what you'd do if that key is compromised and splattered all over the internet. Once it's embedded in your code then it's out of your hands (see CSS and deCSS for more fun reading on that subject).
So, a better solution is to have the server do the encryption and decryption and the client to just send up a bunch of bytes that it's stored locally.
Now, what's a good way of encrypting stuff on the server in an easy to maintain manner? I'm talking about key management; ease of use; strength of encryption; easy Ant/Maven targets/goals to manage the generation of said server side keys and so on. One framework that works really well for me is KeyCzar by Google. Simple API and external management is a piece of cake. Take a look.
I can answer to your straight question about encryption algorithm: AES
Java has classes for that!
But I still have my doubts about the robustness of you solution
I'd personally use AES.
Some more resources:
http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html
Java 256-bit AES Password-Based Encryption
http://www.aescrypt.com/java_aes_crypt.html
I strongly recommend using the BouncyCastle library for Java. It's a lot cleaner than the built-in crypto stuff in Java and significantly easier to understand. Instead of mucking around with passing names of algorithms to methods and seeing if you actually get a cipher back you can just use new. Much easier.
You mentioned you have a few solutions, why not mention them.
Also, this is a very general question, are you looking for a symmetric algorithm or prefer public/private key, or something that uses both?
If you are looking at keeping the key on the server, since IP addresses are small (is this for IPv6, http://en.wikipedia.org/wiki/IPv6) then RSA would be a good choice, as you can then keep the public key on the server but no one can create a new key without the private key.
How will you be using the data? If you are going to decrypt all of them then just keep them in one file, zip it, then encrypt the entire file.
More details would help to narrow this down, as there are a large number of solutions.
But for libraries, in Java, I like BouncyCastle (http://bouncycastle.org/) as they give a large selection and works well if you need to exchange keys with .NET.
UPDATE:
Based on the latest update to the question the biggest concern is how to exchange the encryption key.
Since this is being sent to a client, your best bet may be to use something like RSA to help with this. The client would have a private key, and the server would have the public key of each client, so that if one is compromised the entire system isn't. Then, the server generates a symmetric key (AES is fine, I like IDEA), and encrypts that key. Then, you transmit both pieces to the client, the client then decrypts the symmetric key and then the IP address.
This idea was made popular by PGP.
You may want to use BouncyCastle, as I mentioned, so that if your client is written in .NET or Java you can still do the key exchange, since it has APIs for both platforms.
How you get the key to the server, from the client, or vice versa, depends on many factors, but that will be the weak link in this whole system, and so that part needs to be designed carefully.
As commented elsewhere, it is pointless. The information is available by other means so encrypting it via this channel is a compete waste of time. Netstat is yet another way the address can be detected.
Is there no way to route the TCP traffic through a proxy IP and "obfuscate" the IP that way?
I don't see the issue there unless the said provider of the proxy blocks the required ports according to projects needs. It's too bad Cloudflare wont allow anything except HTTP/S requests through their service unless you get on Enterprise, otherwise there is your solution in a blink.