2

I have customer token which i am sending from one webapplication say app1 to another webapplication say app2. I want to encrypt the customer token at app1 and decrypt it at app2 using key which is shared at both app1 and app2. i am not getting how to start with this? It would be very helpful if somebody can point me some sample code or some tutotrial using shared key as there are too much encryption/decryption stuff(like symmetric key, public-private key) on net which has really confused me. Another limitation is that i have really short time for this to go in details. Thanks in advance.

EDIT:- I am looking for simple programme something like given at http://sanjaal.com/java/186/java-encryption/tutorial-java-des-encryption-and-decryption/ but using AES? Not able to find this kind of example in AES using shared key?

M Sach
  • 33,416
  • 76
  • 221
  • 314
  • There is a good example here: http://stackoverflow.com/questions/992019/java-256-bit-aes-password-based-encryption – Emmanuel Bourg May 31 '12 at 07:57
  • I'd look into symmetric, authenticated encryption. – CodesInChaos May 31 '12 at 08:00
  • @EmmanuelBourg I'm not sure how the OP will use this, but it's very likely that your suggestion is vulnerable to active attacks, such as a padding oracle. It's also about password based encryption, the OP has no reason to use passwords instead of simple keys. – CodesInChaos May 31 '12 at 08:01
  • Can you throw an existing TLS library at the problem? – CodesInChaos May 31 '12 at 09:48

2 Answers2

0

I would suggest this :

Have each app of yours assigned a public/private keypair and store the private key securely protected with a password in a secret key. Make sure that this is very secure. Needless to say the public certificate(which contains the public key as well) will be public.
Each app will have the public key certificates of all the other app. Now when ever an app wants to communicate with other app ;

First sign(basically encrypting) the token with the sending app's private key.
Then encrypt the resulting value with the public key of the app you want to send the data to.

This way the app that receives this value can be assured that no man in the middle will be able to make out what you have sent and also verify that the token has come from a trusted entity.
But if you use a shared key(symmetric key), then if the symmetric key is compromised, then all the apps will be compromised.

Ashwin
  • 12,691
  • 31
  • 118
  • 190
-1

Usually you use a asymmetric algorithm (Eg. RSA) to encrypt a symmetric key (Eg. AES) to securely share it with another party and then your subsequent communication is encrypted with the symmetric key. That is VERY basic gist of it but there are a lot more factors to consider.

And I can see yourself getting in to VERY big trouble right now for several reasons.

  1. You don't understand the concepts of cryptography
  2. You are not willing to thoroughly study it
  3. Simply wants to grab some code from the web and use it.
  4. Really short time

I understand that you might not have a choice perhaps your employer/client wants to get this done quickly. But I thoroughly advice you NOT to go ahead unless you know what you are doing. If you are handling sensitive details such as credit card information or other critical customer information, do your self a favor and study cryptograph in depth.

It doesn't matter how strong the cryptographic algorithm is if you use it in an incorrect fashion. So you need to understand HOW to properly use each algorithm and it's advantages/disadvantages.

Ranhiru Jude Cooray
  • 19,542
  • 20
  • 83
  • 128
  • I see no reason to use asymmetric crypto here. – CodesInChaos May 31 '12 at 07:59
  • @CodeInChaos: If both the web applications are in his control, it makes sense to use a symmetric key stored in a shared location. He can then change the key every day/week. But I would rather generate a cryptographically secure random session key for each communication session and share it with the other application securely using asymmetric cryptography. OR he can write an app to generate a symmetric key and store it in the shared location every day/week. I maybe very wrong. Please be kind enough to point out any potential weaknesses :) – Ranhiru Jude Cooray May 31 '12 at 08:26
  • You can generate a random symmetric key and share it encrypted under another, longer term, symmetric key. Essentially this is what Kerberos does at its core. – President James K. Polk May 31 '12 at 10:43