Is it safe to use following library of AES Encryption in PHP/Java? -
when in search aes encryption/decryption implementation, found links of questions out there in so, these:
- aes encryption java -> php -> java
- aes encryption in java
- aes encryption & security flaw
- is safe use pbkdf2 sha256 generate 128-bit aes keys?
and found following webpage, offers easy use implementation of aes encryption/decryption algorithm in both php , java library.
question: safe use library of aes implementation, directly in our real time development projects?
this may require go through implementation of source code. lengthier php implementation may seemed, following have put essential part of java source code of library.
import java.io.unsupportedencodingexception; import java.security.messagedigest; import java.security.nosuchalgorithmexception; import java.util.arrays; import javax.crypto.cipher; import javax.crypto.spec.secretkeyspec; import org.apache.commons.codec.binary.base64; /** aes encryption */ public class aes { private static secretkeyspec secretkey ; private static byte[] key ; private static string decryptedstring; private static string encryptedstring; public static void setkey(string mykey){ messagedigest sha = null; try { key = mykey.getbytes("utf-8"); system.out.println(key.length); sha = messagedigest.getinstance("sha-1"); key = sha.digest(key); key = arrays.copyof(key, 16); // use first 128 bit system.out.println(key.length); system.out.println(new string(key,"utf-8")); secretkey = new secretkeyspec(key, "aes"); } catch (nosuchalgorithmexception e) { // todo auto-generated catch block e.printstacktrace(); } catch (unsupportedencodingexception e) { // todo auto-generated catch block e.printstacktrace(); } } public static string getdecryptedstring() { return decryptedstring; } public static void setdecryptedstring(string decryptedstring) { aes.decryptedstring = decryptedstring; } public static string getencryptedstring() { return encryptedstring; } public static void setencryptedstring(string encryptedstring) { aes.encryptedstring = encryptedstring; } public static string encrypt(string strtoencrypt) { try { cipher cipher = cipher.getinstance("aes/ecb/pkcs5padding"); cipher.init(cipher.encrypt_mode, secretkey); setencryptedstring(base64.encodebase64string(cipher.dofinal(strtoencrypt.getbytes("utf-8")))); } catch (exception e) { system.out.println("error while encrypting: "+e.tostring()); } return null; } public static string decrypt(string strtodecrypt) { try { cipher cipher = cipher.getinstance("aes/ecb/pkcs5padding"); cipher.init(cipher.decrypt_mode, secretkey); setdecryptedstring(new string(cipher.dofinal(base64.decodebase64(strtodecrypt)))); } catch (exception e) { system.out.println("error while decrypting: "+e.tostring()); } return null; } } note: please, don't mark broader question , neglect it, i'm asking because need sure before use next project.
thanks in advance valuable time!
no, should absolutely not use code.
aes class should not contain digest, that's not part of aes. ecb insecure; cbc insecure without integrity/authentication. exceptions shuffled under table , result in null being returned. there no difference made between runtime exceptions , exceptions generated invalid input , output. fields not correct. default encoding being used. actually, if had score sheet fail on half points @ minimum.
to able use cryptography need at least minimum understanding of subject. otherwise need leave professionals or need use pre-made solutions known experts. grabbing code internet provide false sense of security , source of impossible fix bugs.
Comments
Post a Comment