0

I'm building an app that will serve as a repository of encrypted data. The data is encrypted elsewhere, (in a console java application I'll run on my desktop) the app just needs to decrypt it and show it. I used the SimpleCrypto class, that can be found here among other places: stackoverflow.com/questions/11418336

It worked fine on desktop, then I tried decrypting the data on Android. I got a bad padding error. I checked the input, made sure it's identical. Then I googled a bit and found the thread I posted above. It seems the methods of the class are flawed. They do not work correctly on Android.

This was quite the disappointment for me. I've spent a lot of time searching for something usable, only to find out the hard way that it's buggy. Could someone please point me to a similar implementation of encryption, one that works the same on desktop and Android? Thank you.

Community
  • 1
  • 1
Shaggydog
  • 3,456
  • 7
  • 33
  • 50
  • I suggest that you check out the [Java Cryptography Architecture](http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html). – Code-Apprentice Jul 19 '13 at 20:29
  • Your "bad padding error" indicates a problem with the tail end of your decryption. What padding does your encryption process use? Make sure your decryption method is expecting the same sort of padding. Best to set both to PKCS#7 padding explicitly don't rely on defaults. – rossum Jul 20 '13 at 10:54
  • I've voted to close as "off topic". As the question is currently written, this is a request for a link to an existing implementation or tool. If you re-wrote it so that it focussed on the broken code, that would be different. – Duncan Jones Jul 21 '13 at 05:54
  • Sorry, I'm joining Duncan here. On the one hand you say that you don't want to focus on the encryption part, but your first sentence suggests that this is exactly what your application does. If you want to create such an application, then learn about crypto. Choose another subject otherwise. – Maarten Bodewes Jul 21 '13 at 14:38

1 Answers1

0

"Simple, strong encryption" is an oxymoron. I suggest that you check out the Java Cryptography Architecture. I don't know if it is packaged with Android's version of Java, but you can easily add the appropriate JAR file to your Android project.

Code-Apprentice
  • 81,660
  • 23
  • 145
  • 268
  • Alright, I should have said "simple but reasonably strong". I'm trying to avoid studying the Java Cryptography Architecture, because the point of the exercise for me is to learn Android, not cryptography in Java. And I'll likely never actually need that knowledge. I'd just like to find a class that I can include in both projects, call its methods and have it work reliably on both platforms. – Shaggydog Jul 19 '13 at 20:44
  • @Shaggydog If I understand correctly, you want **secure** code that is written by someone else without understanding what the code actually does. That doesn't sound like a very good recipe for security. – Code-Apprentice Jul 20 '13 at 16:45
  • 3
    But using those classes correctly isn't easy. There are so many possibilities and only a few of them are secure. Using a good helper class is far simpler than learning all the pitfalls yourself. Sending a novice to a low level crypto API has a 99% chance of producing code that appears to work but isn't actually secure. – CodesInChaos Jul 20 '13 at 16:46
  • @CodesInChaos And how do you determine if a "good helper class" is "good" and written by someone who isn't themselves a novice? – Code-Apprentice Jul 20 '13 at 16:52
  • 1
    Mostly by reputation. For example I've heard good things about [keyczar](http://www.keyczar.org/) – CodesInChaos Jul 20 '13 at 16:55
  • Exactly my point. I want to find a helper class written by someone who knew what they were doing, that was reviewed, tried and vetted by many people who likewise knew what they were doing. I started reading this article: http://download.java.net/jdk8/docs/technotes/guides/security/crypto/HowToImplAProvider.html this is what it said: Who Should Read This Document: Programmers that only need to use the Java Security API to access existing cryptography algorithms and other services do not need to read this document. – Shaggydog Jul 20 '13 at 18:11
  • 1
    Simple strong encryption is not an oxymoron. It's just easy to get wrong. But the code is quite simple when it's finished. – Duncan Jones Jul 21 '13 at 05:52