search

Balzanka / guava-libraries

Automatically exported from code.google.com/p/guava-libraries
Apache License 2.0
0 stars 0 forks source link

Encryption utilities #1361

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Occasionally I encounter the need for a utility to encrypt and decrypt strings. 
 Most (or all?) of those times it's been used to encode some information in a 
URL or cookies, where I don't want the information to be visible to users or 
the parameters to be guessable.  These are not passwords and it's not the end 
of the world if someone breaks the encryption.

I'm no security expert, nor have I mastered the security/crypto APIs in the 
JDK.  The resulting code usually leaves me wondering if I made some fundamental 
error that would be obvious to a security guru.  Plus it tends to be hard to 
read.  E.g. Cipher.doFinal makes me deal with checked exceptions that seem 
impossible in certain contexts.  It's also not thread-safe, which is a pain.

It would be nice to have an API for generating secret keys and encryptors based 
on known, good security algorithms.  The API could save me from dealing with 
low-level, ugly APIs like Cipher.  Theoretical example:

  StringEncryptor encryptor = CipherTransformations.aesCbcNoPadding_128()
      .newEncryptor(secretKey) // maybe this is ByteEncryptor?
      .withEncoding(BaseEncoding.base64Url().omitPadding(), Charsets.UTF_8);

  String originalMessage = ...
  String encryptedMessage = encryptor.encrypt(originalMessage);
  Optional<String> decryptedMessage = encryptor.decrypt(encryptedMessage); // present
  Optional<String> decryptedGarbage = encryptor.decrypt("garbage"); // absent

Most of the value of this feature would be in the bytes-to-bytes encryption.  
So if there was only a "ByteEncryptor" I could pretty easily build my own 
StringEncryptor on top of it.

For reference, the crypto documentation lists various algorithms that exist on 
every Java platform:
http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html
http://docs.oracle.com/javase/7/docs/api/javax/crypto/KeyGenerator.html
http://docs.oracle.com/javase/7/docs/api/java/security/KeyPairGenerator.html

Original issue reported on code.google.com by michael.hixson@gmail.com on 5 Apr 2013 at 1:27

GoogleCodeExporter commented 9 years ago

Original comment by kevinb@google.com on 8 Apr 2013 at 7:01

GoogleCodeExporter commented 9 years ago 
Michael, OWASP ESAPI https://code.google.com/p/owasp-esapi-java/ seems to be 
what you need. It has a self-contained ESAPI.encryptor() class, sample usage 
here 
https://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/examples/java
/PersistedEncryptedData.java

Original comment by pawel.kr...@hush.com on 4 Sep 2013 at 9:53

GoogleCodeExporter commented 9 years ago 
This issue has been migrated to GitHub.

It can be found at https://github.com/google/guava/issues/<issue id>

Original comment by cgdecker@google.com on 1 Nov 2014 at 4:12

GoogleCodeExporter commented 9 years ago

Original comment by cgdecker@google.com on 1 Nov 2014 at 4:18

GoogleCodeExporter commented 9 years ago

Original comment by cgdecker@google.com on 3 Nov 2014 at 9:08