• 0

Is this good crypto code?

Asked by DrJohnSmitherson,

 Share

Question

Veteran

DrJohnSmitherson

Posted
Posted

Hey all

Is this good code for generating a secure random string?

http://stackoverflow.com/a/7111973

 

Would this code work for encrypting strings if I changed "keyString" to the string generated from the above code?

http://www.javaxp.com/2012/04/java-simple-aes-cryptography-example.html

 

I understand that I need a secure random number generator and I know I want to use AES, I just want to make sure those sources are secure.

 

Thanks :D

Link to comment
Share on other sites

10 answers to this question

Recommended Posts

  • 0
Mentor

snaphat (Myles Landwehr) Member

Posted
  • Member
Posted

So since you said you understand that you need a secure number generator, then you should probably read about Java's secure random to see how it works:

http://docs.oracle.com/javase/7/docs/api/java/security/SecureRandom.html

http://www.java-tv.com/2013/01/21/java-secure-random-number-generation/

 

The Android version was discovered to be buggy earlier this year:

http://android-developers.blogspot.com/2013/08/some-securerandom-thoughts.html

 

The code for encrypting strings would probably work with your homebrewed key as long as you have the correct key size of AES, but you really shouldn't be reinventing the wheel: http://docs.oracle.com/javase/7/docs/api/javax/crypto/KeyGenerator.html

Link to comment
Share on other sites
  • 0
Veteran

DrJohnSmitherson

Posted
  • Author
Posted

So since you said you understand that you need a secure number generator, then you should probably read about Java's secure random to see how it works:

http://docs.oracle.com/javase/7/docs/api/java/security/SecureRandom.html

http://www.java-tv.com/2013/01/21/java-secure-random-number-generation/

 

The Android version was discovered to be buggy earlier this year:

http://android-developers.blogspot.com/2013/08/some-securerandom-thoughts.html

 

The code for encrypting strings would probably work with your homebrewed key as long as you have the correct key size of AES, but you really shouldn't be reinventing the wheel: http://docs.oracle.com/javase/7/docs/api/javax/crypto/KeyGenerator.html

Is Java's KeyGenerator good?

Link to comment
Share on other sites
  • 0
Mentor

snaphat (Myles Landwehr) Member

Posted
  • Member
Posted

Is Java's KeyGenerator good?

 

Depends on the source of randomness. So the same issue as the one you are making. But, in general I'd trust a vetted implementation over rolling my own solution for such things. Also, if you think there may be issues in the KeyGenerator, why not suspect issues with the AES implementation also? I probably wouldn't use either of them if I thought there were potential security issues in implementation.

Link to comment
Share on other sites
  • 0
Veteran

DrJohnSmitherson

Posted
  • Author
Posted

Depends on the source of randomness. So the same issue as the one you are making. But, in general I'd trust a vetted implementation over rolling my own solution for such things. Also, if you think there may be issues in the KeyGenerator, why not suspect issues with the AES implementation also? I probably wouldn't use either of them if I thought there were potential security issues in implementation.

Very true. I appreciate your help.

Link to comment
Share on other sites
  • 0
Mentor

snaphat (Myles Landwehr) Member

Posted
  • Member
Posted

Very true. I appreciate your help.

 

No problem, it's also worth noting that the AES implementation is far more likely to be messed up than the KeyGenerator simply because it is more complicated. I realized that I didn't say that in my original post when I should have

Link to comment
Share on other sites
  • 0
Mentor

snaphat (Myles Landwehr) Member

Posted
  • Member
Posted

What is that referring to?

 

An implementation of the AES algorithm is going to be much more complicated than the key generator implementation (i.e. the implementation of AES used by the SecretKeySpec class).

Link to comment
Share on other sites
  • 0
Veteran

DrJohnSmitherson

Posted
  • Author
Posted

An implementation of the AES algorithm is going to be much more complicated than the key generator implementation (i.e. the implementation of AES used by the SecretKeySpec class).

If I used the following code and changed keyString to be generated by KeyGenerator, would that work well?

http://www.javaxp.com/2012/04/java-simple-aes-cryptography-example.html

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to question listing