Nischint Ramesh

James Sabre wrote:Your code for writing and reading the key is seriously flawed. You must close the key file when writing it and you cannot rely on the read() to read the whole of your key file when reading it. Read the Javadoc for InputStream.read(byte[] ) to see why. The safest way to read the file is to use DataInputStream.readFully(). For example -if (f.exists()) { DataInputStream dis = new DataInputStream(new FileInputStream(f)); dis.readFully(bytes); dis.close(); } else { KeyGenerator kgen = KeyGenerator.getInstance("AES"); kgen.init(128); key = kgen.generateKey(); bytes = key.getEncoded(); OutputStream os = new FileOutputStream(f); os.write(bytes); os.close(); }

Though failure of your read() to read the whole key could cause the BadPaddingException I have never seen this problem on a lightly loaded system.

The difficulty I had with your code is that you don't return the ciphertext or cleartext from your encrypt() and decrypt() methods yet you say your BadPaddingException occurs only when you do! After changing your code so it returns the cleartext/ciphertext I don't see your problem and don't get the BadPaddingException. There are three common causes of BadPaddingException. First if the key used is incorrect, second if the ciphertext is corrupted and third if you try to decrypt something that is not encrypted. From you test harness I suspect you are trying to decrypt something that has not been encrypted OR that your key is not being read or written propperly.

Note - it is considered insecure to encrypt and store passwords. It is normally better to use a randomly seeded hashing so that nobody can easily obtain the original password from the hashed password. Even if you do have to encrypt the passwords, it is not considered secure to use ECB mode (the mode you get by default) since it is open to fraud by splicing of ciphertext and more worryingly it will allow someone with access to the database to determine which people have the same password. You should use something like CBC mode with a random IV.

Thanks a lot for your code for reading and writing keys. I shall surely use the method you suggested.

I found the problem of BadPaddingException. The application was truncating the ciphertext to 20 characters as it was a default length used in the app. Thing is , There is lots of code in between the encrypting, storing and decrypting logic above. I have just posted the logic that I thought the problem would exist.

About your note of using a one way hash algorithm for storing passwords, cannot be done in the case of my requirement, as there would be no prompting user for password and checking against the hash on the other end. I'm basically "sending the password of some machine to someone who doesn't know what his password is".

I shall look into CBC mode for block. I do not know what a IV is. Could you just guide me regarding CBC and random IV.?

Thanks a lot again.

Hi All,
My Requirement : I have to encrypt a password entered in JPasswordField. After encryption store it in a file. Also I have to decrypt the password for some application purposes which shouldn't matter. I have to decrypt and get the password back is all.

I found the following code to be working :
package encryptiondecryption; import sun.misc.BASE64Encoder; import sun.misc.BASE64Decoder; import javax.crypto.*; import javax.crypto.spec.SecretKeySpec; import java.io.*; import java.security.NoSuchAlgorithmException; public class ZameerEncrypt { public static SecretKeySpec getKeySpec() throws IOException, NoSuchAlgorithmException { byte[] bytes = new byte[16]; File f = new File("sample_aes_key"); SecretKey key = null; SecretKeySpec spec = null; if (f.exists()) { new FileInputStream(f).read(bytes); } else { KeyGenerator kgen = KeyGenerator.getInstance("AES"); kgen.init(128); key = kgen.generateKey(); bytes = key.getEncoded(); new FileOutputStream(f).write(bytes); } spec = new SecretKeySpec(bytes,"AES"); return spec; } public static void encrypt(String text) throws Exception { SecretKeySpec spec = getKeySpec(); Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, spec); BASE64Encoder enc = new BASE64Encoder(); System.out.println(enc.encode(cipher.doFinal(text.getBytes()))); } public static void decrypt(String text) throws Exception { SecretKeySpec spec = getKeySpec(); Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.DECRYPT_MODE, spec); BASE64Decoder dec = new BASE64Decoder(); System.out.println(new String(cipher.doFinal(dec.decodeBuffer(text)))); } public static void main(String[] args) throws Exception { String mode = "encrypt"; String text = "zameer"; if (mode.equals("encrypt")) { encrypt(text); } else if (mode.equals("decrypt")) { decrypt(text); } } }

I change the value of mode to decrypt and text to the encrypted string ( just copied and pasted from console ), the code works fine. No BadPaddingException whatsoever.
I have integrated the above class into my application ( without the main method of course ). Now I call encrypt and decrypt static methods.
Now when I do the following:
JPasswordField passwd = new JPasswordField(); /* assume logic in between which will let me enter the password */ String plainText = new String(passwd.getPassword()); String cipherText = ZameerEncrypt.encrypt(plainText); /* changed code from above to return the string rather than print it*/ String decryptedText = ZameerEncrypt.decrypt(cipherText);/*changed code from above to return the string rather than print it*/
I get a BadPaddingException : Given final block not properly padded after the last code line. What could be the reason guys.? The first code with main class works fine (please let me know if it shouldn't).