Java – Encryption (mode and padding)

cryptographyencryptionjavapublic-key-encryption

I was tasked with writing a small Java console application that involves encryption. I am not familiar with encryption, so I had to do some reading up first. So far the high level requirements given is that AES-256 should be used to generate a one-time key to encrypt a file.

After that, the recipient's public key (RSA-2048) should be used to encrypt that AES-256 one-time key. The encrypted file and the encrypted one-time AES-256 key will then be zipped up and send to recipient.

From what I understand about encryption and decryption from reading up, apart from the algorithm (RSA, AES, etc), there is also things called mode and padding. For example, the following code specified RSA as algorithm, ECB mode and PKCS1Padding.

Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");

The same algorithm, mode and padding must be used in the encryption and decryption. Therefore, is it reasonable for me to go ask the users on what mode and padding they want?

I notice that Cipher cipher = Cipher.getInstance("RSA") seems to use the default mode of ECB and padding of PKCS1Padding, and so this line of code is the same as the above. So is it ok to assume that ECB mode and PKCS1Padding mode will be used for RSA-2048 as default?

Best Answer

No, for sending messages you should use the newer OAEP scheme, as RSA with PKCS#1 v1.5 may be vulnerable to the Bleichenbacher attack. It is however entirely probable and even likely that somebody requesting RSA hybrid encryption has never heard of the attack. In general PKCS#1 v1.5 padding is still used as the default.

You should never expect users to make security decisions for you, unless the only users are students of cryptography (and know about the attack above). Security in general should not rely too much on educating users.

Personally I would certainly asking the requester about the padding. You should also check if they would expect authentication (MAC, HMAC, authenticated cipher or a signature) for the symmetric encryption. If he/she cannot answer the question they may not know that much about encryption.

I would not currently consider the requirements you have been given to be complete (although "for learning purposes" can be one hell of an excuse).

Notes

"RSA/ECB/PKCS1Padding" actually doesn't implement ECB mode encryption. It should have been called "RSA/None/PKCS1Padding" as it can only be used to encrypt a single block of plaintext (or, indeed a secret key). This is just a naming mistake of Sun/Oracle.

There is also a hybrid encryption mode called RSA-KEM that should be at least as secure as RSA OAEP, but it has not been implemented within Java SE.

AES-256 itself should not be used to "generate a one time key". You should use an instance of KeyGenerator generate an AES-256 one time key (this is likely a bit of naming confusion because the KeyGenerator itself does not use AES, it creates keys for AES).

Related Solutions

Java – What are the differences between a HashMap and a Hashtable in Java

There are several differences between HashMap and Hashtable in Java:

Hashtable is synchronized, whereas HashMap is not. This makes HashMap better for non-threaded applications, as unsynchronized Objects typically perform better than synchronized ones.
Hashtable does not allow null keys or values. HashMap allows one null key and any number of null values.
One of HashMap's subclasses is LinkedHashMap, so in the event that you'd want predictable iteration order (which is insertion order by default), you could easily swap out the HashMap for a LinkedHashMap. This wouldn't be as easy if you were using Hashtable.

Since synchronization is not an issue for you, I'd recommend HashMap. If synchronization becomes an issue, you may also look at ConcurrentHashMap.

Java – a serialVersionUID and why should I use it

The docs for java.io.Serializable are probably about as good an explanation as you'll get:

The serialization runtime associates with each serializable class a version number, called a serialVersionUID, which is used during deserialization to verify that the sender and receiver of a serialized object have loaded classes for that object that are compatible with respect to serialization. If the receiver has loaded a class for the object that has a different serialVersionUID than that of the corresponding sender's class, then deserialization will result in an InvalidClassException. A serializable class can declare its own serialVersionUID explicitly by declaring a field named serialVersionUID that must be static, final, and of type long:

ANY-ACCESS-MODIFIER static final long serialVersionUID = 42L;

If a serializable class does not explicitly declare a serialVersionUID, then the serialization runtime will calculate a default serialVersionUID value for that class based on various aspects of the class, as described in the Java(TM) Object Serialization Specification. However, it is strongly recommended that all serializable classes explicitly declare serialVersionUID values, since the default serialVersionUID computation is highly sensitive to class details that may vary depending on compiler implementations, and can thus result in unexpected InvalidClassExceptions during deserialization. Therefore, to guarantee a consistent serialVersionUID value across different java compiler implementations, a serializable class must declare an explicit serialVersionUID value. It is also strongly advised that explicit serialVersionUID declarations use the private modifier where possible, since such declarations apply only to the immediately declaring class — serialVersionUID fields are not useful as inherited members.

Best Answer

Notes

Related Solutions

Java – What are the differences between a HashMap and a Hashtable in Java

Java – a serialVersionUID and why should I use it

Related Topic