Re: [plug] Crypt::CBC interop with javax.crypto

Thu, 07 Sep 2006 00:27:09 -0700

Here's the actual Java code inside the 3rd party app. Believe it or not a 30-second Google search turns up a plethora of Java decompilers. It's frighteningly bad. And I thought Perl was bad because you had to give out source. Turns out Java isn't any better!

    public String encrypt(String data, String k)
        throws Exception
    {
        Security.addProvider(new SunJCE());
        byte key[] = new byte[k.getBytes().length];
        for(int i = 0; i < k.length(); i++)
            key[i] = (byte)k.charAt(i);

        DESKeySpec spec = new DESKeySpec(key);
        SecretKeyFactory factory = SecretKeyFactory.getInstance("DES");
        SecretKey secret = factory.generateSecret(spec);
        Cipher desCipher = Cipher.getInstance("DES");
        desCipher.init(1, secret);
        byte cleartext[] = data.getBytes();
        byte ciphertext[] = desCipher.doFinal (cleartext);
        String stringData = Base64.encodeBytes(ciphertext);
        return stringData;
    }

This function encrypts a plaintext with a key, then returns the base64-encoded ciphertext. I want to decode this crap using a Perl program.

As you can see, the IV or salt isn't specified anywhere. I don't want to go digging around (and decompiling) the javax.crypto.* libraries!

Thanks to all who responded.  :)

I know this isn't strictly Linux related but it seems ph-perl is dead. When I checked the archives the last message was sometime in 2005.

On 9/7/06, Gideon Guillen <[EMAIL PROTECTED]> wrote:
On 9/7/06, Orlando Andico <[EMAIL PROTECTED]> wrote:
> This 3rd-party application does not set the hash and IV ( = initialization
> vectors ) directly, instead it uses SecretKeyFactory.generateSecret() to
> derive the encryption key from the passphrase.
>
> I don't know exactly how this derivation is done, I'm guessing PKCS#5 v2.0
> PBKDF2?

I'm not really familiar with Perl, but on Java, the 3rd party app
probably used PKCS #5 according to this:

http://java.sun.com/j2se/1.5.0/docs/api/javax/crypto/spec/PBEKeySpec.html

Probably used the first constructor. However, since you're using CBC,
the IV is required. If no IV is specified, I believe
javax.crypto.Cipher will throw an exception. Maybe the secret key
generated from was used as the IV (which is a bad idea).



--
Gideon N. Guillen
[EMAIL PROTECTED]
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
plug@lists.linux.org.ph (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph

_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
plug@lists.linux.org.ph (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph

Reply via email to