This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Need some help / advices with my project over here. Basically I'm building a Java Security application for USB Flashdrives, there are a couple of features with this application that we are building, but my part is focused on the encryption function. What the users can do, using our application, is to login into the application, and then perform encryption / decryption on their personal files.
Users have to perform an offline login (Authentication) into the application, using their usernameand password. The users entered username and password are compared with a file inside the flashdrive(call it credential file), that also stores the correct login information. Only when the user enter the right username and password can the user access the application. The information stored inside the file are hashed, and not stored as clear text.
Here comes the more confusing issue. Because I'm not sure if my concept of encryption is correct, I need to ask for advices. I want the application to implement cascading encryption. The 2 algorithm i chosen are AES, and the other I'm not too sure yet(Lets call it algorithm B). My idea of the encryption was:
1. User select the file that he / she want to encrypt
2. The file will first be encrypted with Algorithm B. The key used by Algorithm B is stored inside a file, contained in the flashdrive.
3. The result cipher will further be encrypted with the AES encryption, with a different key, stored separately on a different file, contained inside the flashdrive.
I don't understand how should one store the keys inside the flashdrive. My understanding is that, the keys COULD NEVER be stored inside the flashdrive as cleartext, but, how do i, as the programmer, store the keys securely inside the flashdrive? I'm not sure if my idea is correct, but this was my plan(assuming now the user has log off the application):
1. User login into the application using the USERNAME AND PASSWORD
2. The PASSWORD here will first, act as the key to decrypt the "outer" layer of the AES encryption on the file that is encrypted.
3. At the same time, the PASSWORD, will also too, act as the key to decrypt the key(stored inside the flashdrive) for Algorithm B. In other words, Algorithm B's Key, will be encrypted with AES encryption too.
4. Finally, the Algorithm B's key is decrypted, and now user can decrypt their personal files using that (by selecting the files and clicking the button).
I understand that AES by itself is currently very secured, and doing cascading encryption is overkill. However, I wanted to do something that could further improve the confidentiality of the files. Here are some questions that I have:
1. Does cascading encryption really improve security? Some of the materials on the net says it does, some doesn't. So what are your opinions?
2. How does a key for encryption "look" like? Is key a String? Can I store the keys inside the flashdrive as text files, but not in cleartext?
3. Is the security concept of my application correct?
I am not new to java programming, but I haven't really done encryption before, so I'm pretty new to it. I appreciate if you guys could teach and give me constructive advices on my project, and please do not post any rude comments to it.