aspose file tools*
The moose likes Security and the fly likes Padding Exception Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Padding Exception" Watch "Padding Exception" New topic
Author

Padding Exception

raj jaiswal
Ranch Hand

Joined: Nov 25, 2008
Posts: 56
Hi
All I want to Decrypt the data in my class but i am getting some padding exception .Can any body solve this problem .
Error



my decrypt code is


Thanks
Rajjaiswal
SCJP1.6
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42926
    
  68
You're apparently storing the encrypted data in a string - that doesn't work, since encrypted data is binary. You need to store it in a byte[].

Also, you're using "new String(byte[])" - that means you're ignoring encodings and are relying on the JVM's platform default encoding. That may be OK, but is not generally a safe thing to do. Make sure you understand this issue.
raj jaiswal
Ranch Hand

Joined: Nov 25, 2008
Posts: 56
hi
thanks for reply.
But i didn't understand where i need to modify in code .
Please give tell how to solve and where to modify.

Thanks
Rajjaiswal
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42926
    
  68
Security is an important topic. It's quite easy to build insecure systems if you don't understand what's going on. So the last thing a responsible professional should do is tell you how to fix your code if you don't understand why it's broken to begin with.

Start by reading up on encryption to learn why keys and encrypted data can not be treated as text, but must be treated as binary data. This means you can not store them as strings, but must store them as byte[].

Then read up on how Java handles character encodings, particularly the concept of the platform default encoding and how that affects the use of "new String(byte[])".
James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

In CBC mode a BadPaddingException is almost always caused because you have corrupted your ciphertext or you are using the wrong key or you are using the wrong IV. Make sure that at each stage the ciphertext, key and IV beging used in decryption match exactly those being used or generated in the encryption. As has already been said, don't use a String as a container for binary data without first Base64, Hex or ASCII85 encoding it because it will get corrupted. This applies to keys, ciphertext and IVs.


Retired horse trader.
 Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
raj jaiswal
Ranch Hand

Joined: Nov 25, 2008
Posts: 56
hiAll,
Please help me to resolve the follwing the exception while
Decrypt.
The error is


and My Decryption code is



this is the method where i am calling decryption method.



Thanks In Advance


Raj jaiswal
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42926
    
  68
I still see "new String(byte[])" being used, indicating that you've not yet fully grasped the issue of encodings, and the difference between character data and binary data. That's where you should start. Implementing encryption via trial-and-error is a fast way to implementing insecure systems.
James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

As well as the encoding problem highlighted by Ulf, the code

is just nonsense. You are creating a random string and using that to generate a key to use to decrypt 's'. Even if 's' references valid ciphertext then the chances of that ciphertext having been created using the same random key is very very very very very small. For DES this means that you will get a BadPaddingException about 255 out of 256 times and the 1 out of 256 times you don't you will end up with nonsense.

I don't know where you got that code from but it all looks cumbersome and flawed and it shows a complete lack of knowledge of even the most basic aspects of cryptography. You won't like this but you need to do a lot of reading before you go any further. A good starting point, but only a starting point, is "Beginning Cryptography with Java" by David Hook published by Wrox. Put away your computer and start reading.
raj jaiswal
Ranch Hand

Joined: Nov 25, 2008
Posts: 56
hi James Sabre
Actually that code is runing fine its not giving any error .Only its giving error when i try to connect with database.Simple i checked that code in java class its encrypt/decrypt perfectlly.
I thing whole code is not wrong may be some where else i am doing some mistake.please don't say whole program is wrong.Please try to solve and where i am doing wrong.
below that code is runnig fine..

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42926
    
  68
Only its giving error when i try to connect with database.

The code doesn't perform any DB operations, so there's a disconnect here (not that you're posting the actual exception and stack trace, so that anyone would know for sure).

But you're still missing all the points being made about encoding and trial-by-error programming. While you may be able to get around the issues you're trying to address, I think there's a high probability that the resulting code will not work well, and may quite possibly be insecure. You seem to want to ignore all that - which I'd characterize as unprofessional.

Going by the package name "com.questam", is this by any chance for this company? If so, given that it bills itself as CMMI Level 2, I think you're deviating quite far from CMMI standards.
James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

raj jaiswal wrote:hi James Sabre
Actually that code is runing fine its not giving any error .Only its giving error when i try to connect with database.Simple i checked that code in java class its encrypt/decrypt perfectlly.


Sorry but it can't be working without any error. As I said before, the code for your getDec() method uses a random key so how can that possibly decrypt ciphertext that was encrypted with a different key. Since I can't see how you use the code to connect to your database I can't really comment on that code!


I thing whole code is not wrong may be some where else i am doing some mistake.please don't say whole program is wrong.Please try to solve and where i am doing wrong.
below that code is runnig fine..


So why do you need the flawed getDec() method? In this latest code you are using the same key for both encryption and decryption so it may be working.




It is my opinion that all the code you have posted is flawed in many ways.

I am concerned about the key generation process which seems to use some form PBE. Since you don't post the relevant key I have to assess the quality based on the rest of your code.

I am concerned that you assume that InputStream.read(byte[] ) guarantees to read all the bytes requested when it doesn't. You will mostly get away with this but one day it will jump up an bite you.

I am concerned that your decrypt() method converts your ciphertext to streams when it does not need to. This more than double the number of lines of code needed for this task. It show a fundamental lack of knowledge of the JCE.

I am concerned that your getDec() method uses a random key for decryption. I suspect that you are using this method to decrypt the fields of your database and this is why you are getting the bad padding exception but since you don't show the code that matters I could be on the wrong track.

I am concerned over the general quality of the code and just because "that code is runing fine its not giving any error" does not mean it is not flawed.

Best of luck.

Bye
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Padding Exception