How reliable is Java crypto cipher in encrypting data?

Question

I'm trying to learn Java Cipher Crypto and just have a few questions about my code below:

  public class Main2 {

    public static void main(String[] args) {

        Cipher cipher;
        KeyGenerator keyGenerator;

        SecureRandom secureRandom;
        int keyBitSize = 128;
        SecretKey secretKey;

        byte[] plainText, plainText2;
        byte[] cipherText, cipherText2;

        try 
        {
            cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            keyGenerator = KeyGenerator.getInstance("AES");

            secureRandom = new SecureRandom();          
            keyGenerator.init(keyBitSize, secureRandom);

            secretKey = keyGenerator.generateKey();

            try 
            {
                //pass secretKey to cipher.init()
                cipher.init(Cipher.ENCRYPT_MODE, secretKey);

                try 
                {
                    plainText = "helloWorld".getBytes("UTF-8");
                    plainText2 = "helloWorld".getBytes("UTF-8");

                    cipherText = cipher.doFinal(plainText);
                    cipherText2 = cipher.doFinal(plainText2);

                    System.out.println(cipherText + "\n" + cipherText2);
                }

                catch (IllegalBlockSizeException e) 
                {
                    e.printStackTrace();
                } 

                catch (BadPaddingException e) 
                {
                    e.printStackTrace();
                }

                catch (UnsupportedEncodingException e) 
                {
                    e.printStackTrace();
                }                
            } 

            catch (InvalidKeyException e) 
            {
                e.printStackTrace();
            }
        } 

        catch (NoSuchAlgorithmException e) 
        {       
            e.printStackTrace();
        } 

        catch (NoSuchPaddingException e) 
        {
            e.printStackTrace();
        }

    }

}

Why does it get an Invalid Key Exception (invalid key size) when the keyBitSize is set to 256? Is cipher limited to 128 bits?
Does this encryption method always generate a consistent encrypted string length of 11 (when set to keyBitSize = 128)?
Does this method truncate any plaintext input string of greater length?
Would encrypting user input using this method before storing the encrypted values in a MySQL database a reliable form of security?

You need to install JCE extensions for unlimited key strength in your jdk separately. For Oracle JDK 8, [here's the link](https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html). You can find similar downloads for other vendors. — Gurwinder Singh, Oct 15 '18 at 04:10
I just realized that the link you gave was for Java SE. I'm running Java EE.. it should be compatible either way? — Jae Bin, Oct 15 '18 at 04:47

score 1 · Accepted Answer · answered Oct 15 '18 at 04:44

Why does it get an Invalid Key Exception (invalid key size) when the keyBitSize is set to 256? Is cipher limited to 128 bits?

Assuming you are using OracleJDK you need the Unlimited Strength JCE libraries (as commented). Yes, into the jre/lib/security folder

Does this encryption method always generate a consistent encrypted string length of 11 (when set to keyBitSize = 128)?
Does this method truncate any plaintext input string of greater length?

You are printing out the byte array references, not any encrypted values. Result of the encryption is a byte array and you should encode the array into printable characters (good practice is base64 or hex)

You may have a look at my blog for some examples.

Would encrypting user input using this method before storing the encrypted values in a MySQL database a reliable form of security?

Not at all. It has nothing to do with encryption, it is the way how you are using it.

When is comes to user authentication credentials, never ever store user passwords, even encrypted. Then in principle the user password is reversible. There are a lot of articles about it, e. g. https://www.google.be/amp/s/nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/amp/

Best practice today to store authentication credentials is using salted slow hash (pbkdf2,... )

With regards to my last question (#4), I should have clarified that I am storing user data like names, address, and credit cards. I was wondering if using cipher would give a layer of security just in case an unauthorized user gets into the db and sees the field values in plaintext. With this, all they will see is random byte array stored as blob/varbinary and not plaintext. — Jae Bin, Oct 15 '18 at 04:54
I am also already using BCrypt to store web-app users passwords in my db. — Jae Bin, Oct 15 '18 at 04:54
@jae-bin yes indeed, it is ok to encrypt sensitive information. You may have a look at the linked blog, so with the encryption itself you should use proper IV (initialization vector), encoding (so you can use text fields) and authenticated encryption — gusto2, Oct 15 '18 at 05:15
Nit: Oracle JDK or JRE _below 8u151_ needs the policy jars. 8u15x only needs an edit in jre/lib/security/java.security and 8u161 up (including 9,10,11) already has policy=unlimited. Also the canonical or at least hoary classic for printing array is https://stackoverflow.com/questions/409784/whats-the-simplest-way-to-print-a-java-array — dave_thompson_085, Oct 15 '18 at 05:25

How reliable is Java crypto cipher in encrypting data?

1 Answers1