Key handling for Java Encrypter

StackOverflow https://stackoverflow.com/questions/12472412

Question

In my Java based web-app I would like to encrypt some data before it is written to DB and decrypt it once loaded back to memory. To do that I used bouncycastle API and created a class that looks like this:

public class BlowfishEnrypter implements IEncrypter {

    /*--- Members ---*/

    private BufferedBlockCipher cipher;
    private KeyParameter key;

    /*--- Constructors ---*/

    /**
     * Initialize the cryptographic engine. The key array should be at least 8
     * bytes long.
     * 
     * @param key
     */
    public BlowfishEnrypter(byte[] key) {
    cipher = new BufferedBlockCipher(new CBCBlockCipher(new BlowfishEngine()));
    this.key = new KeyParameter(key);
    }

    /**
     * Initialize the cryptographic engine. The key array should be at least 8
     * bytes long.
     * 
     * @param key
     */
    public BlowfishEnrypter(String key) {
    this(key.getBytes());
    }

    /*--- Public ---*/

    /**
     * {@inheritDoc}
     */
    public String encrypt(String input) throws EncryptionException {
    if (StringUtils.hasText(input)) {
        byte[] bytes = Hex.decode(input);
        try {
        return new String(encrypt(bytes));
        } catch (CryptoException e) {
        throw new EncryptionException("Error occured while trying to encrypt", e);
        }
    } else {
        throw new EncryptionException("Illegal argument for encryption: " + input);
    }
    }

    /**
     * {@inheritDoc}
     */
    public String decrypt(String input) throws EncryptionException {
    if (StringUtils.hasText(input)) {
        byte[] bytes = Hex.decode(input);
        try {
        return new String(decrypt(bytes));
        } catch (CryptoException e) {
        throw new EncryptionException("Error occured while trying to decrypt", e);
        }
    } else {
        throw new EncryptionException("Illegal argument for decryption: " + input);
    }
    }

    /*--- Private ---*/

    /**
     * Encrypt arbitrary byte array, returning the encrypted data in a different
     * byte array.
     * 
     * @param data
     * @return Encrypted byte array
     * @throws CryptoException
     */
    private synchronized byte[] encrypt(byte[] data) throws CryptoException {
    if (data == null || data.length == 0) {
        return new byte[0];
    }

    cipher.init(true, key);
    return callCipher(data);
    }

    /**
     * Decrypts arbitrary data
     * 
     * @param data
     *            To decrypts
     * @return Decrypted byte array
     * @throws CryptoException
     */
    private synchronized byte[] decrypt(byte[] data) throws CryptoException {
    if (data == null || data.length == 0) {
        return new byte[0];
    }

    cipher.init(false, key);
    return callCipher(data);
    }

    /**
     * Private routine that does the gritty work.
     * 
     * @param data
     *            Data to operate on
     * @return Processed byte array
     * @throws CryptoException
     */
    private byte[] callCipher(byte[] data) throws CryptoException {
    int size = cipher.getOutputSize(data.length);
    byte[] result = new byte[size];
    int olen = cipher.processBytes(data, 0, data.length, result, 0);
    olen += cipher.doFinal(result, olen);

    if (olen < size) {
        byte[] tmp = new byte[olen];
        System.arraycopy(result, 0, tmp, 0, olen);
        result = tmp;
    }

    return result;
    }
}

So far so good (I think so, if you have any comments on this class please go ahead). To initialize this class I should provide a key. My question would be - How should I manage this key?

To be more specific:

  • Should I create it using a specific technique?
  • Where should I store it? In a properties file? in the DB? somewhere in my code?
  • should this key (we are talking about a string here, right?) be encrypted and then decrypted once it is loaded or used? If so how should I do that?
Was it helpful?

Solution

Depends on a number of things:

  1. Is your code stored in a secured location that cannot be viewed/accessed by others? If so I'd just put it in the code.
  2. Do you envisage changing the key from time to time (more secure this way)? If so and point 1 is still true then stick it in a property file.
  3. Otherwise put it in a database and keep the username/password of the database secret!

Not sure why you would want to encrypt the actual key though because where will you put the key to secure the original key?

The better thing to do though is look at Java SE security to see what, such as the Java Keystore, can do for you. Furthermore you can also read resources on bouncy castle's website which might be helpful.

OTHER TIPS

We have used similar encryption for many of our web apps. Usually the keys are kept as a string in a property file in source code. The key is not encrypted and its a string with special characters and other string combinations just to make it strong(numbers, caps etc). Once live the key is usually changed by business users around once in 6months..

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top