aspose file tools*
The moose likes Security and the fly likes RC4 Encryption Issue Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "RC4 Encryption Issue" Watch "RC4 Encryption Issue" New topic
Author

RC4 Encryption Issue

Jeremy Severson
Greenhorn

Joined: Sep 15, 2010
Posts: 13
Hey All,

Java newbie here with a question on my RC4 encryption script i am trying to create in jsp. I took a Action Script 3 class that does RC4 encryption and was trying to port it over for jsp. Finally getting an output but it is not the correct output. Hoping someone can take a look at my code to see if they can help me figure out where my issue may be.



Right now my output is 5D226586D839826D9F081B . Let me know if adding the RC4 action script class on here would help also.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61437
    
  67

Oi! What is this code doing in a JSP?

/facepalm

In any case -- nothing to do with JSP per se, so this has been moved to the Security forum.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Jeremy Severson
Greenhorn

Joined: Sep 15, 2010
Posts: 13
Thanks for moving this to the appropriate forum.

I know the code is not implemented correctly but as I stated I am a full blown newbie at JSP/Java. I am just figuring out how to create a servlet which I will be moving this to once I have it working out.
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Better idea yet: work on the RC4 part completely separately from the web side of things. Get that working, then integrate.
James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

There is no need for any of that code since RC4 is available in the JCE under the name ARCFOUR.


Retired horse trader.
 Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61437
    
  67

James Sabre wrote:There is no need for any of that code since RC4 is available in the JCE under the name ARCFOUR.

I think a lot of people aren't already familiar with the JCE -- perhaps you could post a small example?
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Agreed--I see a lot of people attempting to encrypt things. Most people can't, and it's wasted effort since there are several well-known ways to get *good* encryption in Java.

(Not that the above code does or doesn't work--I haven't looked at it--just echoing Bear's point.)
James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

Bear Bibeault wrote:
James Sabre wrote:There is no need for any of that code since RC4 is available in the JCE under the name ARCFOUR.

I think a lot of people aren't already familiar with the JCE -- perhaps you could post a small example?


The OP needs to spend some time learning about security, modern cryptography and the JCE and by posting a small example would not help with that at all. There is nothing in the original post to indicate that the OP is mandated to use RC4 (though I could be wrong) and since he is trying to transcribe some "Action Script" I suspect that he just happened to find the RC4 "Action Script" in a Web search and decided to use that.

The only reasons I can think of that one would use RC4 in preference to AES is if one were trying to match some existing ciphertext or if one was mandated to use it as part of a college/university project. If the OP is trying to match some existing ciphertext then the major difficulty will be in making sure he has the correct block mode, IV, key and padding and a simple example would not address this. If this is a college/university project then my posting code could defeat the object of the assignment/project.

By saying that the RC4 is available in the JCE I hoped this would either prompt the OP to use Google or, more likely, for him to post a follow up question.




Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Wow, my head hurts from looking at crypto code inside a JSP. Please, get it out of there.

Now, on to the basic problem. You are using Java String. That won't work. RC4 and most other modern cihpers operate on octets. An octet is a 8 bit unit, essentially the same as a C-language unsigned byte. Sadly for us Java folk, Java does not have an Unsigned Byte object. So if you naively use Byte instead, you get some code that works and some that does not. If the leading bit is on, Java will interpret that as making the value negative. Unsigned bytes have values from 0 to 255, not -127 to 128.

If you are careful, you can make it wok.

Or you can use the Google Guava library, that has an unsigned byte object.

Also, why are you using RC4? The real RC4 is proprietary, and the ARCFOUR has questionable origins. Do you really need a stream cipher? You seem to be using it in places that a block cipher would be better.
Jeremy Severson
Greenhorn

Joined: Sep 15, 2010
Posts: 13
Sorry to take so long to get back here to post on the reply's but I was away from my computer till now. I actually ended up figuring out my issue. I went through the code section by section comparing my action script class with the output of the jsp and everything was the same till I got to the part were I am doing the RC4. Turns out I had to set i & j to 0 before I started doing the RC4 encryption. Once I did that the output was just fine then.

The reason for this encryption is so I can create a url link with encrypted url variables that goes to flash app that we created. The client originally was handling the link on their site and all I had to worry about was decrypting in the flash app. But we recently got the work from them to redo and host a section of their site which was cool except for the whole having to do it in java thing since we knew nothing of java.

Here is the working code.



Again thanks to everyone for the helpful input. Now I just need to figure out how to get this into a servlet. Wish me luck.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: RC4 Encryption Issue