AES encrypted password in UTF-8

Question

My application receives UTF-16 string as password, which should be saved post encryption in the database with UTF-8 encoding. I'm taking following actions for it

1. Take input password in wstring (UTF-16)
2. Reinterpret this password using reinterpret_cast to unsigned char *.
3. Use step 2 password and encrypt it using AES_cbc_encrypt, which returns unsigned char *
4. Convert step 3 output to wstring (UTF-16)
5. Convert wstring to UTF-8 using Poco's UnicodeConvertor class. Save this UTF-8 string in the database

Is this the correct way of saving AES encrypted password? Please suggest if there is a better way

Answer 1

Depending on your requirements you might want to consider first encoding the string to UTF-8 and then encrypting it. Advantage of this approach is, that the hash stored in the DB is based on a binary format that is independent of endianess. Using UTF-16 you usually need to deal with endianess when you have clients on different systems implemented in different programming languages.

Answer 2

I think you'd be much better off converting the encripted password to hex digits or to base-64 encoding. This way you're guaranteed to have no weird or illegal UTF-16 symbols, nor will you have \n, \r or \t in your UTF-8. The converted text will be somewhat larger - hope it's not a big deal.