0

Blog : https://android-developers.googleblog.com/2016/06/security-crypto-provider-deprecated-in.html

As per stated in blog, it recommends not to use hardcoded naming of provider, does following code is affected by this deprecation ? 



import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;

import android.util.Base64;
import android.util.Log;

public class LocalCrypto
{

    public static String encryptIt(String value,String cryptoPass) {

        if(value==null || value.trim().length()==0)
        {
            return value;
        }


        try {
            DESKeySpec keySpec = new DESKeySpec(cryptoPass.getBytes("UTF8"));
            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
            SecretKey key = keyFactory.generateSecret(keySpec);

            byte[] clearText = value.getBytes("UTF8");
            // Cipher is not thread safe
            Cipher cipher = Cipher.getInstance("DES");
            cipher.init(Cipher.ENCRYPT_MODE, key);
            //Log.d( "Encrypted: " + value + " -> " , encrypedValue);
            return Base64.encodeToString(cipher.doFinal(clearText), Base64.DEFAULT);



        } catch (InvalidKeyException e) {
            e.printStackTrace();
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
        } catch (InvalidKeySpecException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (BadPaddingException e) {
            e.printStackTrace();
        } catch (NoSuchPaddingException e) {
            e.printStackTrace();
        } catch (IllegalBlockSizeException e) {
            e.printStackTrace();
        }
        return value;
    }; 

    public static String decryptIt(String value,String cryptoPass) {

        if(value==null || value.trim().length()==0)
        {
            return value;
        }

        try {
            DESKeySpec keySpec = new DESKeySpec(cryptoPass.getBytes("UTF8"));
            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
            SecretKey key = keyFactory.generateSecret(keySpec);

            byte[] encrypedPwdBytes = Base64.decode(value, Base64.DEFAULT);
            // cipher is not thread safe
            Cipher cipher = Cipher.getInstance("DES");
            cipher.init(Cipher.DECRYPT_MODE, key);
            byte[] decrypedValueBytes = (cipher.doFinal(encrypedPwdBytes));

            String decrypedValue = new String(decrypedValueBytes,"UTF8");
            //Log.d("Decrypted: " + value + " -> " , decrypedValue);
            return decrypedValue;

        } catch (InvalidKeyException e) {
            e.printStackTrace();
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
        } catch (InvalidKeySpecException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (BadPaddingException e) {
            e.printStackTrace();
        } catch (NoSuchPaddingException e) {
            e.printStackTrace();
        } catch (IllegalBlockSizeException e) {
            e.printStackTrace();
        }
        return value;
    }
}
Sudarshan Vidhate
  • 133
  • 8
  • Nothing in your code is related to anything in the article. Your code has more than enough badness left over however, but that would be a topic for another question. – President James K. Polk Mar 14 '17 at 11:50
  • Thanks James, yes, it may be a bad code as it is out of my understanding level & I copied it from https://gist.github.com/aogilvie/6267013 , it has wrong hierarchy of catching exceptions, right ? – Sudarshan Vidhate Mar 14 '17 at 15:55
  • General advice: **Always use a fully qualified Cipher string.** `Cipher.getInstance("DES");` may result in different ciphers depending on the default security provider. It most likely results in `"DES/ECB/PKCS5Padding"`, but it doesn't have to be. If it changes, you'll lose compatibility between different JVMs. For reference: [Java default Crypto/AES behavior](http://stackoverflow.com/q/6258047/1816580) – Artjom B. Mar 14 '17 at 19:10
  • **Don't use DES nowadays.** It only provides 56 bit of security. AES would be a much better, because it's more secure with the lowest key size of 128 bit. There is also a practical limit on the maximum ciphertext size with DES. See [Security comparison of 3DES and AES](http://security.stackexchange.com/q/26179/45523). – Artjom B. Mar 14 '17 at 19:10
  • **Never use [ECB mode](http://crypto.stackexchange.com/q/14487/13022)**. It's deterministic and therefore not semantically secure. You should at the very least use a randomized mode like [CBC](http://crypto.stackexchange.com/q/22260/13022) or [CTR](http://crypto.stackexchange.com/a/2378/13022). It is better to authenticate your ciphertexts so that attacks like a [padding oracle attack](http://crypto.stackexchange.com/q/18185/13022) are not possible. This can be done with authenticated modes like GCM or EAX, or with an [encrypt-then-MAC](http://crypto.stackexchange.com/q/202/13022) scheme. – Artjom B. Mar 14 '17 at 19:10
  • The exception hierarchy is the least of your problems. – Artjom B. Mar 14 '17 at 19:11
  • @Artjom B, thank you for this valuable information. – Sudarshan Vidhate Mar 15 '17 at 08:05

0 Answers0