gissuebot
commented
10 years ago Original comment posted by kevinb@google.com on 2013-04-08 at 07:01 PM
(No comment entered for this change.)
Labels: Package-General
Open gissuebot opened 10 years ago
gissuebot
commented
10 years ago Original comment posted by kevinb@google.com on 2013-04-08 at 07:01 PM
(No comment entered for this change.)
Labels: Package-General
gissuebot
commented
10 years ago Original comment posted by pawel.kr...@hush.com on 2013-09-04 at 09:53 AM
Michael, OWASP ESAPI https://code.google.com/p/owasp-esapi-java/ seems to be what you need. It has a self-contained ESAPI.encryptor() class, sample usage here https://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/examples/java/PersistedEncryptedData.java
ronshapiro
commented
5 years ago We have some internal code for this that we've been waiting to API review. @kluever should know more.
aliakhtar
commented
3 years ago Bump
Original issue created by michael.hixson on 2013-04-05 at 01:27 AM
Occasionally I encounter the need for a utility to encrypt and decrypt strings. Most (or all?) of those times it's been used to encode some information in a URL or cookies, where I don't want the information to be visible to users or the parameters to be guessable. These are not passwords and it's not the end of the world if someone breaks the encryption.
I'm no security expert, nor have I mastered the security/crypto APIs in the JDK. The resulting code usually leaves me wondering if I made some fundamental error that would be obvious to a security guru. Plus it tends to be hard to read. E.g. Cipher.doFinal makes me deal with checked exceptions that seem impossible in certain contexts. It's also not thread-safe, which is a pain.
It would be nice to have an API for generating secret keys and encryptors based on known, good security algorithms. The API could save me from dealing with low-level, ugly APIs like Cipher. Theoretical example:
StringEncryptor encryptor = CipherTransformations.aesCbcNoPadding_128() .newEncryptor(secretKey) // maybe this is ByteEncryptor? .withEncoding(BaseEncoding.base64Url().omitPadding(), Charsets.UTF_8);
String originalMessage = ... String encryptedMessage = encryptor.encrypt(originalMessage); Optional<String> decryptedMessage = encryptor.decrypt(encryptedMessage); // present Optional<String> decryptedGarbage = encryptor.decrypt("garbage"); // absent
Most of the value of this feature would be in the bytes-to-bytes encryption. So if there was only a "ByteEncryptor" I could pretty easily build my own StringEncryptor on top of it.
For reference, the crypto documentation lists various algorithms that exist on every Java platform: http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html http://docs.oracle.com/javase/7/docs/api/javax/crypto/KeyGenerator.html http://docs.oracle.com/javase/7/docs/api/java/security/KeyPairGenerator.html