91

Why I ask this question:

I know there have been a lot of questions about AES encryption, even for Android. And there are lots of code snippets if you search the Web. But on every single page, in every Stack Overflow question, I find another implementation with major differences.

So I created this question to find a "best practice". I hope we can collect a list of the most important requirements and set up an implementation that is really secure!

I read about initialization vectors and salts. Not all implementations I found had these features. So do you need it? Does it increase the security a lot? How do you implement it? Should the algorithm raise exceptions if the encrypted data cannot be decrypted? Or is that insecure and it should just return an unreadable string? Can the algorithm use Bcrypt instead of SHA?

What about these two implementations I found? Are they okay? Perfect or some important things missing? What of these is secure?

The algorithm should take a string and a "password" for encryption and then encrypt the string with that password. The output should be a string (hex or base64?) again. Decryption should be possible as well, of course.

What is the perfect AES implementation for Android?

Implementation #1:

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;

public class AdvancedCrypto implements ICrypto {

        public static final String PROVIDER = "BC";
        public static final int SALT_LENGTH = 20;
        public static final int IV_LENGTH = 16;
        public static final int PBE_ITERATION_COUNT = 100;

        private static final String RANDOM_ALGORITHM = "SHA1PRNG";
        private static final String HASH_ALGORITHM = "SHA-512";
        private static final String PBE_ALGORITHM = "PBEWithSHA256And256BitAES-CBC-BC";
        private static final String CIPHER_ALGORITHM = "AES/CBC/PKCS5Padding";
        private static final String SECRET_KEY_ALGORITHM = "AES";

        public String encrypt(SecretKey secret, String cleartext) throws CryptoException {
                try {

                        byte[] iv = generateIv();
                        String ivHex = HexEncoder.toHex(iv);
                        IvParameterSpec ivspec = new IvParameterSpec(iv);

                        Cipher encryptionCipher = Cipher.getInstance(CIPHER_ALGORITHM, PROVIDER);
                        encryptionCipher.init(Cipher.ENCRYPT_MODE, secret, ivspec);
                        byte[] encryptedText = encryptionCipher.doFinal(cleartext.getBytes("UTF-8"));
                        String encryptedHex = HexEncoder.toHex(encryptedText);

                        return ivHex + encryptedHex;

                } catch (Exception e) {
                        throw new CryptoException("Unable to encrypt", e);
                }
        }

        public String decrypt(SecretKey secret, String encrypted) throws CryptoException {
                try {
                        Cipher decryptionCipher = Cipher.getInstance(CIPHER_ALGORITHM, PROVIDER);
                        String ivHex = encrypted.substring(0, IV_LENGTH * 2);
                        String encryptedHex = encrypted.substring(IV_LENGTH * 2);
                        IvParameterSpec ivspec = new IvParameterSpec(HexEncoder.toByte(ivHex));
                        decryptionCipher.init(Cipher.DECRYPT_MODE, secret, ivspec);
                        byte[] decryptedText = decryptionCipher.doFinal(HexEncoder.toByte(encryptedHex));
                        String decrypted = new String(decryptedText, "UTF-8");
                        return decrypted;
                } catch (Exception e) {
                        throw new CryptoException("Unable to decrypt", e);
                }
        }

        public SecretKey getSecretKey(String password, String salt) throws CryptoException {
                try {
                        PBEKeySpec pbeKeySpec = new PBEKeySpec(password.toCharArray(), HexEncoder.toByte(salt), PBE_ITERATION_COUNT, 256);
                        SecretKeyFactory factory = SecretKeyFactory.getInstance(PBE_ALGORITHM, PROVIDER);
                        SecretKey tmp = factory.generateSecret(pbeKeySpec);
                        SecretKey secret = new SecretKeySpec(tmp.getEncoded(), SECRET_KEY_ALGORITHM);
                        return secret;
                } catch (Exception e) {
                        throw new CryptoException("Unable to get secret key", e);
                }
        }

        public String getHash(String password, String salt) throws CryptoException {
                try {
                        String input = password + salt;
                        MessageDigest md = MessageDigest.getInstance(HASH_ALGORITHM, PROVIDER);
                        byte[] out = md.digest(input.getBytes("UTF-8"));
                        return HexEncoder.toHex(out);
                } catch (Exception e) {
                        throw new CryptoException("Unable to get hash", e);
                }
        }

        public String generateSalt() throws CryptoException {
                try {
                        SecureRandom random = SecureRandom.getInstance(RANDOM_ALGORITHM);
                        byte[] salt = new byte[SALT_LENGTH];
                        random.nextBytes(salt);
                        String saltHex = HexEncoder.toHex(salt);
                        return saltHex;
                } catch (Exception e) {
                        throw new CryptoException("Unable to generate salt", e);
                }
        }

        private byte[] generateIv() throws NoSuchAlgorithmException, NoSuchProviderException {
                SecureRandom random = SecureRandom.getInstance(RANDOM_ALGORITHM);
                byte[] iv = new byte[IV_LENGTH];
                random.nextBytes(iv);
                return iv;
        }

}

Source: http://pocket-for-android.1047292.n5.nabble.com/Encryption-method-and-reading-the-Dropbox-backup-td4344194.html

Implementation #2:

import java.security.SecureRandom;

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;

/**
 * Usage:
 * <pre>
 * String crypto = SimpleCrypto.encrypt(masterpassword, cleartext)
 * ...
 * String cleartext = SimpleCrypto.decrypt(masterpassword, crypto)
 * </pre>
 * @author ferenc.hechler
 */
public class SimpleCrypto {

    public static String encrypt(String seed, String cleartext) throws Exception {
        byte[] rawKey = getRawKey(seed.getBytes());
        byte[] result = encrypt(rawKey, cleartext.getBytes());
        return toHex(result);
    }

    public static String decrypt(String seed, String encrypted) throws Exception {
        byte[] rawKey = getRawKey(seed.getBytes());
        byte[] enc = toByte(encrypted);
        byte[] result = decrypt(rawKey, enc);
        return new String(result);
    }

    private static byte[] getRawKey(byte[] seed) throws Exception {
        KeyGenerator kgen = KeyGenerator.getInstance("AES");
        SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
        sr.setSeed(seed);
        kgen.init(128, sr); // 192 and 256 bits may not be available
        SecretKey skey = kgen.generateKey();
        byte[] raw = skey.getEncoded();
        return raw;
    }


    private static byte[] encrypt(byte[] raw, byte[] clear) throws Exception {
        SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
        Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
        byte[] encrypted = cipher.doFinal(clear);
        return encrypted;
    }

    private static byte[] decrypt(byte[] raw, byte[] encrypted) throws Exception {
        SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
        Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.DECRYPT_MODE, skeySpec);
        byte[] decrypted = cipher.doFinal(encrypted);
        return decrypted;
    }

    public static String toHex(String txt) {
        return toHex(txt.getBytes());
    }
    public static String fromHex(String hex) {
        return new String(toByte(hex));
    }

    public static byte[] toByte(String hexString) {
        int len = hexString.length()/2;
        byte[] result = new byte[len];
        for (int i = 0; i < len; i++)
            result[i] = Integer.valueOf(hexString.substring(2*i, 2*i+2), 16).byteValue();
        return result;
    }

    public static String toHex(byte[] buf) {
        if (buf == null)
            return "";
        StringBuffer result = new StringBuffer(2*buf.length);
        for (int i = 0; i < buf.length; i++) {
            appendHex(result, buf[i]);
        }
        return result.toString();
    }
    private final static String HEX = "0123456789ABCDEF";
    private static void appendHex(StringBuffer sb, byte b) {
        sb.append(HEX.charAt((b>>4)&0x0f)).append(HEX.charAt(b&0x0f));
    }

}

Source: http://www.tutorials-android.com/learn/How_to_encrypt_and_decrypt_strings.rhtml

Peter O.
  • 32,158
  • 14
  • 82
  • 96
caw
  • 30,999
  • 61
  • 181
  • 291
  • I am trying to implement the solution 1 but it needed some classes. do you have the full source code? – albanx Jun 25 '12 at 21:11
  • 1
    No, I haven't, sorry. But I got it working by simply deleting `implements ICrypto` and changing `throws CryptoException` to `throws Exception` and so on. So you won't need those classes anymore. – caw Jun 25 '12 at 21:37
  • But also the HexEncoder class is missing? Where can I found it? – albanx Jun 26 '12 at 09:03
  • HexEncoder is part of the BouncyCastle library, I think. You can just download it. Or you can google for "byte[] to hex" and the other way round in Java. – caw Jun 26 '12 at 21:05
  • Thank you Marco. But I notice that there are 3 methods `getSecretKey`, `getHash`, `generateSalt` in the first implementation that are unused. Maybe I am wrong but how could this class be used to encrypt a string in practice? – albanx Jun 27 '12 at 20:20
  • They are unused because the class seems to be incomplete. You have to use `getSecretKey()` for example to get the `SecretKey` that you need for `encrypt()` and so on. It's not static and not dynamic either. – caw Jun 27 '12 at 22:19
  • this implemention can be used only for storing local data and not for exchangin them because of random salt – albanx Jun 28 '12 at 08:03
  • for HexEncode you can use [this](http://stackoverflow.com/a/9855338/1080355) and for hex to bye[] you can use [this](http://stackoverflow.com/a/140861/1080355) – VSB Jun 30 '13 at 08:28
  • check this link http://codingaffairs.blogspot.com/2016/06/aes-encryption-decryption-in-android.html – Developine Jun 25 '16 at 10:17

5 Answers5

38

Neither implementation you give in your question is entirely correct, and neither implementation you give should be used as is. In what follows, I will discuss aspects of password-based encryption in Android.

Keys and Hashes

I will start discussing the password-based system with salts. The salt is a randomly generated number. It is not "deduced". Implementation 1 includes a generateSalt() method that generates a cryptographically strong random number. Because the salt is important to security, it should be kept secret once it is generated, though it only needs to be generated once. If this is a Web site, it's relatively easy to keep the salt secret, but for installed applications (for desktop and mobile devices), this will be much more difficult.

The method getHash() returns a hash of the given password and salt, concatenated into a single string. The algorithm used is SHA-512, which returns a 512-bit hash. This method returns a hash that's useful for checking a string's integrity, so it might as well be used by calling getHash() with just a password or just a salt, since it simply concatenates both parameters. Since this method won't be used in the password-based encryption system, I won't be discussing it further.

The method getSecretKey(), derives a key from a char array of the password and a hex-encoded salt, as returned from generateSalt(). The algorithm used is PBKDF1 (I think) from PKCS5 with SHA-256 as the hash function, and returns a 256-bit key. getSecretKey() generates a key by repeatedly generating hashes of the password, salt, and a counter (up to the iteration count given in PBE_ITERATION_COUNT, here 100) in order to increase the time needed to mount a brute-force attack. The salt's length should be at least as long as the key being generated, in this case, at least 256 bits. The iteration count should be set as long as possible without causing unreasonable delay. For more information on salts and iteration counts in key derivation, see section 4 in RFC2898.

The implementation in Java's PBE, however, is flawed if the password contains Unicode characters, that is, those that require more than 8 bits to be represented. As stated in PBEKeySpec, "the PBE mechanism defined in PKCS #5 looks at only the low order 8 bits of each character". To work around this problem, you can try generating a hex string (which will contain only 8-bit characters) of all 16-bit characters in the password before passing it to PBEKeySpec. For example, "ABC" becomes "004100420043". Note also that PBEKeySpec "requests the password as a char array, so it can be overwritten [with clearPassword()] when done". (With respect to "protecting strings in memory", see this question.) I don't see any problems, though, with representing a salt as a hex-encoded string.

Encryption

Once a key is generated, we can use it to encrypt and decrypt text.

In implementation 1, the cipher algorithm used is AES/CBC/PKCS5Padding, that is, AES in the Cipher Block Chaining (CBC) cipher mode, with padding defined in PKCS#5. (Other AES cipher modes include counter mode (CTR), electronic codebook mode (ECB), and Galois counter mode (GCM). Another question on Stack Overflow contains answers that discuss in detail the various AES cipher modes and the recommended ones to use. Be aware, too, that there are several attacks on CBC mode encryption, some of which are mentioned in RFC 7457.)

Note that you should use an encryption mode that also checks the encrypted data for integrity (e.g., authenticated encryption with associated data, AEAD, described in RFC 5116). However, AES/CBC/PKCS5Padding doesn't provide integrity checking, so it alone is not recommended. For AEAD purposes, using a secret that's at least twice as long as a normal encryption key is recommended, to avoid related key attacks: the first half serves as the encryption key, and the second half serves as the key for the integrity check. (That is, in this case, generate a single secret from a password and salt, and split that secret in two.)

Java Implementation

The various functions in implementation 1 use a specific provider, namely "BC", for its algorithms. In general, though, it is not recommended to request specific providers, since not all providers are available on all Java implementations, whether for lack of support, to avoid code duplication, or for other reasons. This advice has especially become important since the release of Android P preview in early 2018, because some functionality from the "BC" provider has been deprecated there — see the article "Cryptography Changes in Android P" in the Android Developers Blog. See also the Introduction to Oracle Providers.

Thus, PROVIDER should not exist and the string -BC should be removed from PBE_ALGORITHM. Implementation 2 is correct in this respect.

It is inappropriate for a method to catch all exceptions, but rather to handle only the exceptions it can. The implementations given in your question can throw a variety of checked exceptions. A method can choose to wrap only those checked exceptions with CryptoException, or specify those checked exceptions in the throws clause. For convenience, wrapping the original exception with CryptoException may be appropriate here, since there are potentially many checked exceptions the classes can throw.

SecureRandom in Android

As detailed in the article "Some SecureRandom Thoughts", in the Android Developers Blog, the implementation of java.security.SecureRandom in Android releases before 2013 has a flaw that reduces the strength of random numbers it delivers. This flaw can be mitigated as described in that article.

Peter O.
  • 32,158
  • 14
  • 82
  • 96
  • That double secret generation is a bit wasteful in my opinion, you could as easily split the generated secret in two, or - if not enough bits are available - add a counter (1 for the first key, 2 for the second key) to the secret and perform a single hash. No need to perform all the iterations twice. – Maarten Bodewes Dec 30 '11 at 22:45
  • Thanks for the information on HMAC and the salt. I won't use HMAC this time but later it might be very useful. And in general, this is a good thing, no doubt. – caw Dec 31 '11 at 13:21
  • Thank you very much for all the edits and this (now) wonderful introduction to AES encryption in Java! – caw Jan 02 '12 at 00:30
  • Isn't the PROVIDER parameter needed as "BC" stands for "Bouncy Castle" and this is not part of the standard JDK? Will getInstance() search for the correct provider? – caw Jan 02 '12 at 01:21
  • 1
    It should. `getInstance` has an overload that takes only the name of the algorithm. Example: [Cipher.getInstance()](http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html#getInstance%28java.lang.String%29) Several providers, including Bouncy Castle, may be registered in the Java implementation and this kind of overload searches the list of providers for one of them that implements the given algorithm. You should try it and see. – Peter O. Jan 02 '12 at 01:31
  • 1
    Yup, it will search the providers in the order given by Security.getProviders() - although it will now also check if the key is accepted by that provider during the init() call allowing for hardware assisted encryption. More details here: http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html. – Maarten Bodewes Jan 02 '12 at 19:04
  • @owlstead: Thanks for your comments on the double secret generation. Sorry for not commenting earlier, but my current answer includes your ideas (in the last paragraph of "Encryption"). See the edit history. – Peter O. Nov 16 '12 at 09:42
  • Isn't it better to specify BC in android? – frostymarvelous Nov 09 '14 at 13:11
18

#2 should never be used as it uses only "AES" (which means ECB mode encryption on text, a big no-no) for the cipher. I'll just talk about #1.

The first implementation seems to adhere to best practices for encryption. The constants are generally OK, although both the salt size and the number of iterations for performing PBE are on the short side. Futhermore, it seems to be for AES-256 since the PBE key generation uses 256 as a hard coded value (a shame after all those constants). It uses CBC and PKCS5Padding which is at least what you would expect.

Completely missing is any authentication/integrity protection, so an attacker can change the cipher text. This means that padding oracle attacks are possible in a client/server model. It also means that an attacker can try and change the encrypted data. This will likely result in some error somewhere becaues the padding or content is not accepted by the application, but that's not a situation that you want to be in.

Exception handling and input validation could be enhanced, catching Exception is always wrong in my book. Furhtermore, the class implements ICrypt, which I don't know. I do know that having only methods without side effects in a class is a bit weird. Normally, you would make those static. There is no buffering of Cipher instances etc., so every required object gets created ad-nauseum. However, you can safely remove ICrypto from the definition it seems, in that case you could also refactor the code to static methods (or rewrite it to be more object oriented, your choice).

The problem is that any wrapper always makes assumptions about the use case. To say that a wrapper is right or wrong is therefore bunk. This is why I always try to avoid generating wrapper classes. But at least it does not seem explicitly wrong.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Thank you very much for this detailed answer! I know it's a shame but I didn't know the code review section yet :D Thanks for this hint, I'll check that out. But this question does also fit here in my opinion as I don't just want a review of these code snippets. Instead, I want to ask you all what aspects are important when implementing AES encryption in Android. And you're right again, this code snippet is for AES-256. So you would say that this is general a safe implementation of AES-256? The use case is that I just want to safely store text information in a database. – caw Dec 30 '11 at 01:40
  • 1
    It looks good, but the idea of not having integrity checks and authentication would bother me. If you have enough space I would seriously consider adding a HMAC over the ciphertext. That said, as you are probably trying to simply add confidentiality, I would consider it a big plus, but not directly a requirement. – Maarten Bodewes Dec 30 '11 at 03:01
  • But if the intention is only that others should not have access to the encrypted information, I don't need a HMAC, right? If they change the ciphertext and force a "wrong" result of decryption, there's no real problem, is there? – caw Dec 30 '11 at 03:23
  • If that is not in your risk scenario, then that is fine. If they can somehow trigger a repeated decrypt by the system after altering the cipher text (a padding oracle attack) then they could decrypt the data without ever knowing the key. They cannot do this if they simply get hold of the data on a system that does not have the key. But that's why it is always best practice to add a HMAC. Personally, I would consider a system with AES-128 and HMAC safer than AES-256 without - but as said, probably not required. – Maarten Bodewes Dec 30 '11 at 03:37
  • Okay, now I've understood everything :) Thank you very much again for your help! But I have two questions left: I need to pass the same password and salt for decryption and encryption, right? Otherwise I won't be able to decrypt the ciphertext again. But how do I deduce the salt? Can't I just take the same string for all encryption and decryption tasks? AND: I can't find any "ICrypto" in the public web. So this is probably something the author of that code wrote himself, right? Will the code work without that expression? – caw Dec 30 '11 at 03:52
  • 1
    Why not use AES in Galois/Counter-mode (AES-GCM) if you want integrity? – Kimvais Dec 30 '11 at 20:00
  • Thanks, Kimvais, AES-GCM is a good idea! But in my case, it is not available, unfortunately. As I don't want to store the salt as well, I will create a hash and use it as the salt. So is it unsecure to hard-code the salt? I don't know how much information you can get if you decompile Java/Android applications. – caw Dec 31 '11 at 13:28
  • And, by the way, what is getHash() used for? – caw Dec 31 '11 at 14:27
  • That's something that you should discuss with the creator of the class I guess (if somebody has a spare crystal ball I'm certainly interested). – Maarten Bodewes Jan 01 '12 at 21:32
  • ... I just thought you could know where hashes are needed in the encryption process, perhaps ;) – caw Jan 02 '12 at 00:13
  • For the record, I believe my revision 2 of this post was text from a comment of yours, rather than original text of mine. – Peter O. Oct 23 '18 at 17:38
1

You have asked a pretty interesting question. As with all algorithms the cipher key is the "secret sauce", since once that's known to the public, everything else is too. So you look into ways to this document by Google

security

Besides Google In-App Billing also gives thoughts on security which is insightful as well

billing_best_practices

kyogs
  • 6,766
  • 1
  • 34
  • 50
the100rabh
  • 4,077
  • 4
  • 32
  • 40
  • Thanks for these links! What exactly do you mean by "when the cipher key is out, everything else is out too"? – caw Jan 01 '12 at 20:06
  • What I mean is that encryption key needs to be secure, if anyone can get hold of that, then your encrypted data is as good as plaintext. Please upvote if you found my answer helpful to a degree :-) – the100rabh Jan 02 '12 at 04:37
0

I found a nice implementation here : http://nelenkov.blogspot.fr/2012/04/using-password-based-encryption-on.html and https://github.com/nelenkov/android-pbe That was also helpful in my quest for a good enough AES Implementation for Android

clément francomme
  • 71
  • 6
0

Use BouncyCastle Lightweight API. It provides 256 AES With PBE and Salt.
Here sample code, which can encrypt/decrypt files.

public void encrypt(InputStream fin, OutputStream fout, String password) {
    try {
        PKCS12ParametersGenerator pGen = new PKCS12ParametersGenerator(new SHA256Digest());
        char[] passwordChars = password.toCharArray();
        final byte[] pkcs12PasswordBytes = PBEParametersGenerator.PKCS12PasswordToBytes(passwordChars);
        pGen.init(pkcs12PasswordBytes, salt.getBytes(), iterationCount);
        CBCBlockCipher aesCBC = new CBCBlockCipher(new AESEngine());
        ParametersWithIV aesCBCParams = (ParametersWithIV) pGen.generateDerivedParameters(256, 128);
        aesCBC.init(true, aesCBCParams);
        PaddedBufferedBlockCipher aesCipher = new PaddedBufferedBlockCipher(aesCBC, new PKCS7Padding());
        aesCipher.init(true, aesCBCParams);

        // Read in the decrypted bytes and write the cleartext to out
        int numRead = 0;
        while ((numRead = fin.read(buf)) >= 0) {
            if (numRead == 1024) {
                byte[] plainTemp = new byte[aesCipher.getUpdateOutputSize(numRead)];
                int offset = aesCipher.processBytes(buf, 0, numRead, plainTemp, 0);
                final byte[] plain = new byte[offset];
                System.arraycopy(plainTemp, 0, plain, 0, plain.length);
                fout.write(plain, 0, plain.length);
            } else {
                byte[] plainTemp = new byte[aesCipher.getOutputSize(numRead)];
                int offset = aesCipher.processBytes(buf, 0, numRead, plainTemp, 0);
                int last = aesCipher.doFinal(plainTemp, offset);
                final byte[] plain = new byte[offset + last];
                System.arraycopy(plainTemp, 0, plain, 0, plain.length);
                fout.write(plain, 0, plain.length);
            }
        }
        fout.close();
        fin.close();
    } catch (Exception e) {
        e.printStackTrace();
    }

}

public void decrypt(InputStream fin, OutputStream fout, String password) {
    try {
        PKCS12ParametersGenerator pGen = new PKCS12ParametersGenerator(new SHA256Digest());
        char[] passwordChars = password.toCharArray();
        final byte[] pkcs12PasswordBytes = PBEParametersGenerator.PKCS12PasswordToBytes(passwordChars);
        pGen.init(pkcs12PasswordBytes, salt.getBytes(), iterationCount);
        CBCBlockCipher aesCBC = new CBCBlockCipher(new AESEngine());
        ParametersWithIV aesCBCParams = (ParametersWithIV) pGen.generateDerivedParameters(256, 128);
        aesCBC.init(false, aesCBCParams);
        PaddedBufferedBlockCipher aesCipher = new PaddedBufferedBlockCipher(aesCBC, new PKCS7Padding());
        aesCipher.init(false, aesCBCParams);

        // Read in the decrypted bytes and write the cleartext to out
        int numRead = 0;
        while ((numRead = fin.read(buf)) >= 0) {
            if (numRead == 1024) {
                byte[] plainTemp = new byte[aesCipher.getUpdateOutputSize(numRead)];
                int offset = aesCipher.processBytes(buf, 0, numRead, plainTemp, 0);
                // int last = aesCipher.doFinal(plainTemp, offset);
                final byte[] plain = new byte[offset];
                System.arraycopy(plainTemp, 0, plain, 0, plain.length);
                fout.write(plain, 0, plain.length);
            } else {
                byte[] plainTemp = new byte[aesCipher.getOutputSize(numRead)];
                int offset = aesCipher.processBytes(buf, 0, numRead, plainTemp, 0);
                int last = aesCipher.doFinal(plainTemp, offset);
                final byte[] plain = new byte[offset + last];
                System.arraycopy(plainTemp, 0, plain, 0, plain.length);
                fout.write(plain, 0, plain.length);
            }
        }
        fout.close();
        fin.close();
    } catch (Exception e) {
        e.printStackTrace();
    }
}
kelheor
  • 174
  • 1
  • 10
  • Thank you! This is probably a good and secure solution but I don't want to use third party software. I'm sure it must be possible to implement AES in a safe way on one's own. – caw Dec 31 '11 at 13:18
  • 2
    Depends if you want to include protection against side channel attacks. Generally, you should assume it is pretty *unsafe* to implement cryptographic algorithms on your own. As AES CBC is available in the Java runtime libs of Oracle, it's probably best to use those and use the Bouncy Castle libraries if an algorithm is unavailable. – Maarten Bodewes Jan 01 '12 at 21:37
  • It's missing the definition of `buf` (I *really* hope it's not a `static` field). It also looks like both `encrypt()` and `decrypt()` will fail to process the final block correctly if the input is a multiple of 1024 bytes. – tc. May 24 '13 at 15:16