Java newbie here with a question on my RC4 encryption script i am trying to create in jsp. I took a Action Script 3 class that does RC4 encryption and was trying to port it over for jsp. Finally getting an output but it is not the correct output. Hoping someone can take a look at my code to see if they can help me figure out where my issue may be.
Right now my output is 5D226586D839826D9F081B . Let me know if adding the RC4 action script class on here would help also.
I know the code is not implemented correctly but as I stated I am a full blown newbie at JSP/Java. I am just figuring out how to create a servlet which I will be moving this to once I have it working out.
James Sabre wrote:There is no need for any of that code since RC4 is available in the JCE under the name ARCFOUR.
I think a lot of people aren't already familiar with the JCE -- perhaps you could post a small example?
The OP needs to spend some time learning about security, modern cryptography and the JCE and by posting a small example would not help with that at all. There is nothing in the original post to indicate that the OP is mandated to use RC4 (though I could be wrong) and since he is trying to transcribe some "Action Script" I suspect that he just happened to find the RC4 "Action Script" in a Web search and decided to use that.
The only reasons I can think of that one would use RC4 in preference to AES is if one were trying to match some existing ciphertext or if one was mandated to use it as part of a college/university project. If the OP is trying to match some existing ciphertext then the major difficulty will be in making sure he has the correct block mode, IV, key and padding and a simple example would not address this. If this is a college/university project then my posting code could defeat the object of the assignment/project.
By saying that the RC4 is available in the JCE I hoped this would either prompt the OP to use Google or, more likely, for him to post a follow up question.
Wow, my head hurts from looking at crypto code inside a JSP. Please, get it out of there.
Now, on to the basic problem. You are using Java String. That won't work. RC4 and most other modern cihpers operate on octets. An octet is a 8 bit unit, essentially the same as a C-language unsigned byte. Sadly for us Java folk, Java does not have an Unsigned Byte object. So if you naively use Byte instead, you get some code that works and some that does not. If the leading bit is on, Java will interpret that as making the value negative. Unsigned bytes have values from 0 to 255, not -127 to 128.
If you are careful, you can make it wok.
Or you can use the Google Guava library, that has an unsigned byte object.
Also, why are you using RC4? The real RC4 is proprietary, and the ARCFOUR has questionable origins. Do you really need a stream cipher? You seem to be using it in places that a block cipher would be better.
Joined: Sep 15, 2010
Sorry to take so long to get back here to post on the reply's but I was away from my computer till now. I actually ended up figuring out my issue. I went through the code section by section comparing my action script class with the output of the jsp and everything was the same till I got to the part were I am doing the RC4. Turns out I had to set i & j to 0 before I started doing the RC4 encryption. Once I did that the output was just fine then.
The reason for this encryption is so I can create a url link with encrypted url variables that goes to flash app that we created. The client originally was handling the link on their site and all I had to worry about was decrypting in the flash app. But we recently got the work from them to redo and host a section of their site which was cool except for the whole having to do it in java thing since we knew nothing of java.
Here is the working code.
Again thanks to everyone for the helpful input. Now I just need to figure out how to get this into a servlet. Wish me luck.