Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes Security and the fly likes AES encryption from within a Tomcat web container Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "AES encryption from within a Tomcat web container" Watch "AES encryption from within a Tomcat web container" New topic
Author

AES encryption from within a Tomcat web container

Jim Willmore
Greenhorn

Joined: Dec 06, 2008
Posts: 5
I am unable to decrypt a file from within a Struts plugin. I can encrypt and decrypt the file fine at the command line (outside the web container), but I'm unable to do so when the web application starts. I'm at a loss as to why this is happening - except that Tomcat is not configured properly.

The JDK used is 1.4.2, Struts used is 1.1 and the version of Tomcat is 5.0.28. At this point, I can not upgrade the JDK, version of Struts or the version of Tomcat.

Below is the code used (length code). Any feedback appreciated.



[ UD: Please UseCodeTags when posting code of any length; it's much easier to read. And welcome to JavaRanch. ]
[ December 06, 2008: Message edited by: Ulf Dittmer ]

---<br /> Jim
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41101
    
  45
What does "unable to decrypt a file" mean? What happens when the code is executed, and how does that differ from what you expected?


Ping & DNS - my free Android networking tools app
Jim Willmore
Greenhorn

Joined: Dec 06, 2008
Posts: 5
Originally posted by Ulf Dittmer:
What does "unable to decrypt a file" mean? What happens when the code is executed, and how does that differ from what you expected?


When the web application is started (ex. Tomcat is restarted and the Struts plugin instantiated), the file being decrypted appears as garbage. It appears that the decryption is not working as expected.

When the code I posted is run outside the web container (on the command line), the encrypted file is properly decoded.

I hope this makes sense. If not, please let me know.
Jim Willmore
Greenhorn

Joined: Dec 06, 2008
Posts: 5
Originally posted by Jim Willmore:


When the web application is started (ex. Tomcat is restarted and the Struts plugin instantiated), the file being decrypted appears as garbage. It appears that the decryption is not working as expected.

When the code I posted is run outside the web container (on the command line), the encrypted file is properly decoded.

I hope this makes sense. If not, please let me know.


You know ... after reading what I wrote and what was asked ... I think I'll rephrase what I'm doing.

The code posted does the following:

1) When run at the command line, it takes a seies of command line arguments and creates an encrypted file. It also prints out the contents of the file in decrypted form (just to make sure it was encrypted properly). Par of the encryption process, a Properties object is instantiated an using the store method, the file is created.

2) When run from within a web container, the code will read the contents of the encrypted file, decrypt the file, populate a Proerties object and the resulting values in the Properties object are used to create a connection pool.

3) The key used for encryption is the MD5 checksum of a file - usually one that should not change with any frequency.

In the various changes I made during this issue, I verified that the MD5 was the same in every invocation of the code (inside and outside the web container). I verified the files needed were found by the code used. I verified the permissions were set properly.

The one constant is that every time the code is used within a web container, the resulting Properties object is corrupt, When the Properties toString() method is invoked after decryption of the file used to populate the Properties object (the load() method of the Properties object), the result is garbage when the code is executed within the web container.

I hope this clarifies what the issue is. If not, please let me know.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41101
    
  45
Just a shot in the dark, but ... The code doesn't specifying an encoding anywhere. Is the servlet container possibly running with a different standard encoding than the platform default encoding you're using when running from the command line? That would make a difference for code such as "new String(baos.toByteArray())".
Jim Willmore
Greenhorn

Joined: Dec 06, 2008
Posts: 5
Originally posted by Ulf Dittmer:
Just a shot in the dark, but ... The code doesn't specifying an encoding anywhere. Is the servlet container possibly running with a different standard encoding than the platform default encoding you're using when running from the command line? That would make a difference for code such as "new String(baos.toByteArray())".


I added ...



... as the first line of the initEncryptionFile method of the code initially posted to the thread.

Both the command line and the web application container show the same file encoding.

That was a good thought and I would have been grateful if that was the solution.
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
It looks like your initEncryption() generates a new random key every time. The passphrase that is computed there is never used!


Nice to meet you.
Jim Willmore
Greenhorn

Joined: Dec 06, 2008
Posts: 5
Originally posted by greg stark:
It looks like your initEncryption() generates a new random key every time. The passphrase that is computed there is never used!


Nice to meet you as well.

I do believe you are right and what I thought was strange when looking at encryption examples. Most, if not all, encryption examples show both the encryption *and* decryption done. I have yet to see one that show how to encrypt .... and then later .... decrypt what was done.

Any example or resource I can be directed to is welcomed.
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
"Practical Cryptography" by Schneier.

In your example, you are using the contents of a file as the key material for the cipher, or trying to at any rate. This file needs to be available to both the encryptor and decryptor. You should probably use one of the password-based encryption (PBE) ciphers for this. See this link for an example:Using Password-based encryption. Also, sometime the Sun providers are incomplete when it comes to cipher support. You should learn to love the Bouncycastle library, despite its lack of documentation. It only adds a few hundred K at most and supports many more Ciphers.
Jim Willmore
Greenhorn

Joined: Apr 02, 2006
Posts: 1
Originally posted by greg stark:

In your example, you are using the contents of a file as the key material for the cipher, or trying to at any rate. [/QB]


Nice to meet you too.

I actually found a way to not use a PBE to acomplish what I wanted to


You were correct - I was *trying* to use the MD5 hash of a file as the password ... but never actually used it at all. Now I am.

Thanks to everyone for thier help.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: AES encryption from within a Tomcat web container
 
Similar Threads
How to create SecretKey for AES 128 Encryption based on user's password??
Exception in thread "main" javax.mail.AuthenticationFailedException:
Encryption-decryption file problem
padding problem with AES(help)
how to get pubring.pkr in PGP encryption in java