2

Is encode (Base64) - encrypt - transmit safe over HTTP.

Or is encrypt - encode - transmit the right way to do it?

Is there possibility of data corruption because of this Why do we use Base64?

Using : Javax cipher AES/CBC/PKCS5Padding

for encrypting multipart http request with multiple file attachements

Encoding : base64

Cybermonk
  • 514
  • 1
  • 6
  • 28
  • the trick is always Encode and then Encrypt. Always Decrypt and then Decode. – akshaya pandey Nov 08 '17 at 12:34
  • 2
    Encryption and decryption should be done on the original (more compact) `byte[]`. Then for safe transmission as plain 7-bits ASCII _text_ one does a Base64 encoding/decoding. _(If text is to be encrypted, do `getBytes("UTF_")` and `new String(bytes, "UTF-8")`)._ – Joop Eggen Nov 08 '17 at 12:35
  • 2
    You use base64 when you need to transmit *textual data* instead of binary data - for example when using a text based protocol - so `encrypt(base64(x))` is not something you would usually use. If you are performing a multipart/form-data upload you do not need encoding you can use the raw bytes of your ciphertext in the request body . – Alex K. Nov 08 '17 at 12:36
  • +Alex K that's right I can just transfer after encrypting, but my suspicion is whether the encrypt will add any data that is considered "unsafe" as mentioned in the reference question - 'Why do we use Base64' – Cybermonk Nov 08 '17 at 12:42
  • +akshaya pandey could you kindly elaborate on why always that way. From what I read Joop Eggen's suggestion seems safer – Cybermonk Nov 08 '17 at 12:45
  • 1
    Yes, your encrypted data is binary not text so is unsafe in that it should never be thought of or treated as text, because it isnt. – Alex K. Nov 08 '17 at 13:17
  • Not treating it as String. The rest service that I'm calling is decrypting and decoding. I want to be sure before I ask them to change to decode and decrypt if encrypting and transmitting without encoding is safe. – Cybermonk Nov 08 '17 at 13:34
  • 1
    @akshayapandey Encode to base64 and then encrypt? That makes no sense. – Luke Joshua Park Nov 08 '17 at 14:07

1 Answers1

5

The correct way to address this is to encrypt the raw information and then encode to base64. Decryption is obviously the same in reverse.

Raw binary data doesn't work well with HTTP unless it is the body of the request. If you are passing data in the body then don't encode to base64, just send the raw binary ciphertext as it will reduce the size of the request.

Luke Joshua Park
  • 9,527
  • 5
  • 27
  • 44