4

I was reading this article about serialization.

It was the first time I saw encrypting a serialized object. I'm trying to encrypt some serializable object and then save them into a file. But the article's example uses ECB mode which is known to reveal informations about the encrypted plaintext. I was wondering, how is it possible to encrypt a serialized object by using CBC instead of ECB mode?

In order to use CBC, an initial vector is needed. This vector must be saved with the serialized object, but if the vector gets encrypted then we can't find the vector in order to decrypt the object.

Also, is it possible to say that the initial vector will be saved as plaintext in the file where the serialiazable object is saved. But then wouldn't the file be destroyed?

An example using CBC mode would be very useful.

Antonys
  • 41
  • 1
  • 3
  • 3
    If you're concerned about security vulnerabilities, don't use DES -- it's been broken. Use either 3DES or AES. – Chris Thompson Feb 12 '11 at 02:04
  • 1
    I'm not sure about the Java aspect of this, but in CBC you are supposed to store the IV unencrypted, since otherwise no one can decrypt the resulting message. It doesn't leak anything, since as long as the IV is never repeated an attacker can't use it to do anything because it's fed into the block cipher, which is a PRF. – templatetypedef Feb 12 '11 at 02:05

1 Answers1

0

There's a decent SO question and answer about using 3DES here. The IV is a digest of the password/key. The solution cited there can be augmented with the appropriate serialization mechanics to a ByteArrayOutputStream or directly to/from a FileOutputStream.

(Not an expert by any means, but pointing out what's on SO already...)

Community
  • 1
  • 1
andersoj
  • 22,406
  • 7
  • 62
  • 73