Reputation: 79
I am trying to understand how I can decrypt a String in one application that I have encrypted in a separate application. I can do this when I am in a single application execution, and I use the PrivateKey from the same KeyPair that generated the PublicKey. However, I want to encrypt the value in one application, and decrypt the value in another application. Basically I have a web service sending value I do not want to be tampered with to an application, and I was planning to use asymmetric encryption to handle it. Feel free to let me know if I am going about solving that the wrong way.
I have tried various encryption techniques, starting with Symmetric. The issue I ran into with that is that the value is encrypted to the same text each time - not very useful if my goal is to keep someone from tampering with a value - once they know the encrypted version of some text, they will be able to use that in any request. I have been trying to follow the standards here - I can get all my examples working in a single transaction doing the encrypt/decrypt - it is just when I try to encrypt in one request, and decrypt in a second request that I fail.
Here is my current working example:
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.xml.bind.DatatypeConverter;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;
* Security class for encrypting and decrypting Strings (that also works in WC ver 7 and above)
* @author
public class SecurityTools {
private static final Logger logger = Logger.getLogger(SecurityTools.class);
private Cipher cipher;
private IvParameterSpec initVector;
private SecretKey secretKey;
PrivateKey privateKeyParam;
PublicKey publicKeyParam;
private static SecureRandom secureRandom = new SecureRandom();
private static final String TRANSFORMATION = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding";
private static final String ALGORITHM_SHORT = "RSA";
private static final String RNG_ALGORITHM = "SHA1PRNG";
private static final String ALGORITHM = "PBKDF2WithHmacSHA256";
private static final String UTF8 = "UTF-8";
// exceptions
private static final String _ERR_ILLEGAL_BLOCK_SIZE = "illegal block size exception.";
private static final String _ERR_BAD_PADDING = "bad padding exception.";
private static final String _ERR_INVALIDKEY = "invalidkey exception.";
private static final String _ERR_PADDING = "padding exception.";
private static final String _ERR_NO_SUCH_ALGORITHM = "no such algorithm exception.";
private static final String _ERR_PASSPHRASE_IS_NULL = "passphrase is null.";
private static final String _ERR_INVALID_ALGORITHM = "invalid algorithm exception.";
private static final String _ERR_UNSUPPORTED_ENCODING = "encoding not supported.";
private static final String _ERR_INVALID_KEY_SPEC = "invalid key spec exception.";
* Constructor
* @throws EncryptionException
public SecurityTools() throws EncryptionException {
if (logger.isDebugEnabled()) {
logger.debug("entering Constructor");
try {
cipher = Cipher.getInstance(ALGORITHM_SHORT);
} catch (NoSuchAlgorithmException iae) {
logger.error(_ERR_NO_SUCH_ALGORITHM, iae);
throw new EncryptionException(_ERR_NO_SUCH_ALGORITHM, iae);
} catch (NoSuchPaddingException nspe) {
logger.error(_ERR_PADDING, nspe);
throw new EncryptionException(_ERR_PADDING, nspe);
if (logger.isDebugEnabled()) {
logger.debug("exiting Constructor");
* Encrypts a given plain text String, and returns the encrypted String
* @param plainText
* @return
* @throws EncryptionException
public String encrypt(String plainText, PublicKey publicKey) throws EncryptionException {
if (logger.isDebugEnabled()) {
logger.debug("entering encrypt");
String encryptedKey = null;
try {
byte[] byteToEncrypt = plainText.getBytes(UTF8);
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
byte[] encryptedBytes = cipher.doFinal(byteToEncrypt);
encryptedKey = DatatypeConverter.printBase64Binary(encryptedBytes);
} catch (IllegalArgumentException iae) {
logger.error(_ERR_PASSPHRASE_IS_NULL, iae);
throw new EncryptionException(_ERR_PASSPHRASE_IS_NULL, iae);
} catch (InvalidKeyException ike) {
logger.error(_ERR_INVALIDKEY, ike);
throw new EncryptionException(_ERR_INVALIDKEY, ike);
} catch (BadPaddingException bpe) {
logger.error(_ERR_BAD_PADDING, bpe);
throw new EncryptionException(_ERR_BAD_PADDING, bpe);
} catch (IllegalBlockSizeException bpe) {
logger.error(_ERR_ILLEGAL_BLOCK_SIZE, bpe);
throw new EncryptionException(_ERR_ILLEGAL_BLOCK_SIZE, bpe);
} catch (UnsupportedEncodingException uee) {
logger.error(_ERR_UNSUPPORTED_ENCODING, uee);
throw new EncryptionException(_ERR_UNSUPPORTED_ENCODING, uee);
} /*-catch (InvalidAlgorithmParameterException iape) {
logger.error(_ERR_INVALID_ALGORITHM, iape);
throw new EncryptionException(_ERR_INVALID_ALGORITHM, iape);
if (logger.isDebugEnabled()) {
logger.debug("exiting encrypt");
return encryptedKey;
* Decrypts a given encrypted String, and returns the plain text String
* @param cipherTextStr
* @return
* @throws EncryptionException
public String decrypt(String cipherTextStr, PrivateKey privateKey) throws EncryptionException {
if (logger.isDebugEnabled()) {
logger.debug("entering decrypt");
String cleartext = null;
try {
cipher.init(Cipher.DECRYPT_MODE, privateKey);
byte[] plainByte = cipher.doFinal(DatatypeConverter.parseBase64Binary(cipherTextStr));
cleartext = new String(plainByte);
} /*-catch (InvalidAlgorithmParameterException iape) {
logger.error(_ERR_INVALID_ALGORITHM, iape);
throw new EncryptionException(_ERR_INVALID_ALGORITHM, iape);
} */catch (IllegalArgumentException iae) {
logger.error(_ERR_PASSPHRASE_IS_NULL, iae);
throw new EncryptionException(_ERR_PASSPHRASE_IS_NULL, iae);
} catch (InvalidKeyException ike) {
logger.error(_ERR_INVALIDKEY, ike);
throw new EncryptionException(_ERR_INVALIDKEY, ike);
} catch (BadPaddingException bpe) {
logger.error(_ERR_BAD_PADDING, bpe);
throw new EncryptionException(_ERR_BAD_PADDING, bpe);
} catch (IllegalBlockSizeException bpe) {
logger.error(_ERR_ILLEGAL_BLOCK_SIZE, bpe);
throw new EncryptionException(_ERR_ILLEGAL_BLOCK_SIZE, bpe);
if (logger.isDebugEnabled()) {
logger.debug("exiting decrypt");
return cleartext;
* Creates the IV using Secure Random Number Generator and an empty 16byte array
* @return
private void generateIV() {
if (logger.isDebugEnabled()) {
logger.debug("entering generateIV");
byte[] newSeed = secureRandom.generateSeed(16);
byte[] byteIV = new byte[16];
initVector = new IvParameterSpec(byteIV);
if (logger.isDebugEnabled()) {
logger.debug("exiting generateIV");
* Generates the Key used for decryption and encryption
* @throws EncryptionException
private void generateKeys() throws EncryptionException {
try {
String saltStr = "salty";// rbConfig.getString("salt");
String passPhraseStr = "passy";// rbConfig.getString("passphrase");
if (StringUtils.isEmpty(saltStr) || StringUtils.isEmpty(passPhraseStr)) {
throw new EncryptionException(_ERR_PASSPHRASE_IS_NULL);
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(512); // key size specified here.
KeyPair pair = keyGen.generateKeyPair();
privateKeyParam = pair.getPrivate();
publicKeyParam = pair.getPublic();
/*-byte[] salt = saltStr.getBytes();
int iterations = 10000;
int keyLength = 128;
SecretKeyFactory factory = SecretKeyFactory.getInstance(ALGORITHM);
SecretKey tmp = factory.generateSecret(new PBEKeySpec(passPhraseStr.toCharArray(), salt, iterations, keyLength));
secretKey = new SecretKeySpec(tmp.getEncoded(), ALGORITHM_SHORT);*/
} catch (NoSuchAlgorithmException iae) {
logger.error(_ERR_NO_SUCH_ALGORITHM, iae);
throw new EncryptionException(_ERR_NO_SUCH_ALGORITHM, iae);
} /*-catch (InvalidKeySpecException e) {
logger.error(_ERR_INVALID_KEY_SPEC, e);
throw new EncryptionException(_ERR_INVALID_KEY_SPEC, e);
* Test method
* @param args
public static void main(String[] args) {
String[] message = { "mktest", "9248547896548752345", "okok234234234okok467467",
"12" };
String result = null;
try {
SecurityTools secTool = new SecurityTools();
PrivateKey priv = secTool.getPrivateKeyParam();
PublicKey publ = secTool.getPublicKeyParam();
String temp = "N5B1zgbvts3Vwrt6qyL/TBzt62HTFz0ISySx5HFu02oVq1YEhFLbrgdCndROX4/5hMpxCHGM8UJBSyZUfjD/DA==";
// System.out.println("ASYMMETRIC TEST" + secTool.decrypt(temp, priv));
for (String mess : message) {
result = secTool.encrypt(mess, publ);
result = secTool.decrypt(result, priv);
} catch (Exception e) {
* @return the privateKeyParam
public PrivateKey getPrivateKeyParam() {
return privateKeyParam;
* @return the publicKeyParam
public PublicKey getPublicKeyParam() {
return publicKeyParam;
class EncryptionException extends Exception {
private static final long serialVersionUID = 1L;
public EncryptionException() {}
public EncryptionException(String message, Throwable cause) {
super(message, cause);
public EncryptionException(String message) {
public EncryptionException(Throwable cause) {
When I run that as-is it works because the main is doing the encryption and decryption all in one go. However, when I take the output from a run, and store it in the temp String in main(), and then uncomment the line System.out.println("ASYMMETRIC TEST" + is when it fails with$EncryptionException: bad padding exception.
Caused by: javax.crypto.BadPaddingException: Decryption error
at com.sun.crypto.provider.RSACipher.doFinal(
at com.sun.crypto.provider.RSACipher.engineDoFinal(
at javax.crypto.Cipher.doFinal(
... 1 more
I assume my issue is that I am re-generating a new KeyPair each time, which will only work the one time as a pair. So once I try to match a PrivateKey that came from one KeyPair to the text that was encrypted with an entirely different KeyPair, it fails. But I have yet to find how you are supposed to otherwise achieve this in that case.
Upvotes: 0
Views: 802
Reputation: 79
import java.util.Locale;
import java.util.MissingResourceException;
import java.util.ResourceBundle;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;
* Security class for encrypting and decrypting Strings (that also works in WC ver 7 and above).
* @author mkohanek
public class SecurityTools {
private static final Logger logger = Logger.getLogger(SecurityTools.class);
private Cipher cipher;
private IvParameterSpec initVector;
private SecretKey secretKey;
private transient ResourceBundle rbConfig;
private static SecureRandom secureRandom = new SecureRandom();
private static final String AES_ALGORITHM = "AES/CBC/PKCS5Padding";
private static final String ALGORITHM_SHORT = "AES";
private static final String PBE_ALGORITHM = "PBEWithMD5AndDES";
private static final String UTF8 = "UTF-8";
private static final int ITERATIONS = 10000;
private static final int KEY_LENGTH = 128;
// exceptions
private static final String _ERR_ILLEGAL_BLOCK_SIZE = "illegal block size exception.";
private static final String _ERR_BAD_PADDING = "bad padding exception.";
private static final String _ERR_INVALIDKEY = "invalidkey exception.";
private static final String _ERR_PADDING = "padding exception.";
private static final String _ERR_NO_SUCH_ALGORITHM = "no such algorithm exception.";
private static final String _ERR_PASSPHRASE_IS_NULL = "passphrase is null.";
private static final String _ERR_SALT_IS_NULL = "salt is null.";
private static final String _ERR_INVALID_ALGORITHM = "invalid algorithm exception.";
private static final String _ERR_UNSUPPORTED_ENCODING = "encoding not supported.";
private static final String _ERR_INVALID_KEY_SPEC = "invalid key spec exception.";
* Constructor
* @param salt
* - for encryption, obtain salt from generateSalt(). for decryption, you should use the same salt used during encryption
* @throws EncryptionException
public SecurityTools(String salt) throws EncryptionException {
if (logger.isDebugEnabled()) {
logger.debug("entering Constructor");
try {
cipher = Cipher.getInstance(AES_ALGORITHM);
} catch (NoSuchAlgorithmException iae) {
logger.error(_ERR_NO_SUCH_ALGORITHM, iae);
throw new EncryptionException(_ERR_NO_SUCH_ALGORITHM, iae);
} catch (NoSuchPaddingException nspe) {
logger.error(_ERR_PADDING, nspe);
throw new EncryptionException(_ERR_PADDING, nspe);
if (logger.isDebugEnabled()) {
logger.debug("exiting Constructor");
* Constructor
* @param salt
* - for encryption, obtain salt from generateSalt(). for decryption, you should use the same salt used during encryption
* @param passPhrase
* - Allows client to pass in a passphrase it wants to use rather than use the one this library defines. This must also be used when decrypting. The length limit for this key is 16
* characters
* @throws EncryptionException
public SecurityTools(String salt, String passPhrase) throws EncryptionException {
if (logger.isDebugEnabled()) {
logger.debug("entering Constructor");
try {
cipher = Cipher.getInstance(AES_ALGORITHM);
generateKey(salt, passPhrase);
} catch (NoSuchAlgorithmException iae) {
logger.error(_ERR_NO_SUCH_ALGORITHM, iae);
throw new EncryptionException(_ERR_NO_SUCH_ALGORITHM, iae);
} catch (NoSuchPaddingException nspe) {
logger.error(_ERR_PADDING, nspe);
throw new EncryptionException(_ERR_PADDING, nspe);
if (logger.isDebugEnabled()) {
logger.debug("exiting Constructor");
* Encrypts a given plain text String, and returns the encrypted String
* @param plainText
* @return
* @throws EncryptionException
public String encrypt(String plainText) throws EncryptionException {
if (logger.isDebugEnabled()) {
logger.debug("entering encrypt");
String encryptedKey = null;
try {
byte[] byteToEncrypt = plainText.getBytes(UTF8);
cipher.init(Cipher.ENCRYPT_MODE, secretKey, initVector, new SecureRandom());
byte[] encryptedBytes = cipher.doFinal(byteToEncrypt);
encryptedKey = DatatypeConverter.printBase64Binary(encryptedBytes);
} catch (IllegalArgumentException iae) {
logger.error(_ERR_PASSPHRASE_IS_NULL, iae);
throw new EncryptionException(_ERR_PASSPHRASE_IS_NULL, iae);
} catch (InvalidKeyException ike) {
logger.error(_ERR_INVALIDKEY, ike);
throw new EncryptionException(_ERR_INVALIDKEY, ike);
} catch (BadPaddingException bpe) {
logger.error(_ERR_BAD_PADDING, bpe);
throw new EncryptionException(_ERR_BAD_PADDING, bpe);
} catch (IllegalBlockSizeException bpe) {
logger.error(_ERR_ILLEGAL_BLOCK_SIZE, bpe);
throw new EncryptionException(_ERR_ILLEGAL_BLOCK_SIZE, bpe);
} catch (UnsupportedEncodingException uee) {
logger.error(_ERR_UNSUPPORTED_ENCODING, uee);
throw new EncryptionException(_ERR_UNSUPPORTED_ENCODING, uee);
} catch (InvalidAlgorithmParameterException iape) {
logger.error(_ERR_INVALID_ALGORITHM, iape);
throw new EncryptionException(_ERR_INVALID_ALGORITHM, iape);
if (logger.isDebugEnabled()) {
logger.debug("exiting encrypt");
return encryptedKey;
* Decrypts a given encrypted String, and returns the plain text String
* @param cipherTextStr
* @return
* @throws EncryptionException
public String decrypt(String cipherTextStr) throws EncryptionException {
if (logger.isDebugEnabled()) {
logger.debug("entering decrypt");
String cleartext = null;
try {
cipher.init(Cipher.DECRYPT_MODE, secretKey, initVector);
byte[] plainByte = cipher.doFinal(DatatypeConverter.parseBase64Binary(cipherTextStr));
cleartext = new String(plainByte);
} catch (InvalidAlgorithmParameterException iape) {
logger.error(_ERR_INVALID_ALGORITHM, iape);
throw new EncryptionException(_ERR_INVALID_ALGORITHM, iape);
} catch (IllegalArgumentException iae) {
logger.error(_ERR_PASSPHRASE_IS_NULL, iae);
throw new EncryptionException(_ERR_PASSPHRASE_IS_NULL, iae);
} catch (InvalidKeyException ike) {
logger.error(_ERR_INVALIDKEY, ike);
throw new EncryptionException(_ERR_INVALIDKEY, ike);
} catch (BadPaddingException bpe) {
logger.error(_ERR_BAD_PADDING, bpe);
throw new EncryptionException(_ERR_BAD_PADDING, bpe);
} catch (IllegalBlockSizeException bpe) {
logger.error(_ERR_ILLEGAL_BLOCK_SIZE, bpe);
throw new EncryptionException(_ERR_ILLEGAL_BLOCK_SIZE, bpe);
if (logger.isDebugEnabled()) {
logger.debug("exiting decrypt");
return cleartext;
* Creates the IV using Secure Random Number Generator and an empty 16byte array
* @return
private void generateIV(String salt) {
if (logger.isDebugEnabled()) {
logger.debug("entering generateIV");
byte[] newSeed = DatatypeConverter.parseBase64Binary(salt);
initVector = new IvParameterSpec(newSeed);
if (logger.isDebugEnabled()) {
logger.debug("exiting generateIV");
* Generates the Key used for decryption and encryption using passphrase from properties file on library
** @param saltStr
* @return
* @throws EncryptionException
private void generateKey(String saltStr) throws EncryptionException {
if (logger.isDebugEnabled()) {
logger.debug("entering generateKey");
try {
String passPhraseStr = rbConfig.getString("passphrase");
if (StringUtils.isEmpty(passPhraseStr)) {
throw new EncryptionException(_ERR_PASSPHRASE_IS_NULL);
if (StringUtils.isEmpty(saltStr)) {
throw new EncryptionException(_ERR_SALT_IS_NULL);
byte[] salt = DatatypeConverter.parseBase64Binary(saltStr);
SecretKeyFactory factory = SecretKeyFactory.getInstance(PBE_ALGORITHM);
SecretKey tmp = factory.generateSecret(new PBEKeySpec(passPhraseStr.toCharArray(), salt, ITERATIONS, KEY_LENGTH));
secretKey = new SecretKeySpec(tmp.getEncoded(), ALGORITHM_SHORT);
} catch (NoSuchAlgorithmException iae) {
logger.error(_ERR_NO_SUCH_ALGORITHM, iae);
throw new EncryptionException(_ERR_NO_SUCH_ALGORITHM, iae);
} catch (InvalidKeySpecException e) {
logger.error(_ERR_INVALID_KEY_SPEC, e);
throw new EncryptionException(_ERR_INVALID_KEY_SPEC, e);
if (logger.isDebugEnabled()) {
logger.debug("exiting generateKey");
* Generates the Key used for decryption and encryption using passphrase passed in
* @param saltStr
* @param passPhrase
* @throws EncryptionException
private void generateKey(String saltStr, String passPhrase) throws EncryptionException {
if (logger.isDebugEnabled()) {
logger.debug("entering generateKey");
try {
if (StringUtils.isEmpty(passPhrase)) {
throw new EncryptionException(_ERR_PASSPHRASE_IS_NULL);
if (StringUtils.isEmpty(saltStr)) {
throw new EncryptionException(_ERR_SALT_IS_NULL);
byte[] salt = DatatypeConverter.parseBase64Binary(saltStr);
SecretKeyFactory factory = SecretKeyFactory.getInstance(PBE_ALGORITHM);
SecretKey tmp = factory.generateSecret(new PBEKeySpec(passPhrase.toCharArray(), salt, ITERATIONS, KEY_LENGTH));
secretKey = new SecretKeySpec(tmp.getEncoded(), ALGORITHM_SHORT);
} catch (NoSuchAlgorithmException iae) {
logger.error(_ERR_NO_SUCH_ALGORITHM, iae);
throw new EncryptionException(_ERR_NO_SUCH_ALGORITHM, iae);
} catch (InvalidKeySpecException e) {
logger.error(_ERR_INVALID_KEY_SPEC, e);
throw new EncryptionException(_ERR_INVALID_KEY_SPEC, e);
if (logger.isDebugEnabled()) {
logger.debug("exiting generateKey");
* This generates a random value of user defined size that can be used to encrypt data. The decrypting client will then need to access this value to be able to decrypt
* @return
public static String generateSaltStr(int size) {
String salt = null;
byte[] newSeed = secureRandom.generateSeed(size);
salt = DatatypeConverter.printBase64Binary(newSeed);
return salt;
* This generates a random 16 bit value that can be used to encrypt data. The decrypting client will then need to access this value to be able to decrypt
* @return
public static String generateSaltStr() {
String salt = null;
byte[] newSeed = secureRandom.generateSeed(16);
salt = DatatypeConverter.printBase64Binary(newSeed);
return salt;
* Loads properties files (call before attempting to read any properties files)
private void loadProperties() {
try {
rbConfig = ResourceBundle.getBundle("application", Locale.US);
} catch (MissingResourceException ie) {
"FATAL: SecurityTools.loadProperties Cannot read the properties file. Please ensure the file is on the classpath.");
} catch (Exception e) {
"FATAL: SecurityTools.loadProperties Cannot read the properties file. Please ensure the file is on the classpath.");
* Test method
* @param args
public static void main(String[] args) {
String[] message = { "mkohanek", "9248547896548752345", "okok234234234okok467467",
"12" };
String result = null;
try {
// ASYMMETRIC TEST - use this block to test values are usable over separate sessions by taking output from loop below and using it here for subsequent calls
// String previousSalt = "jriUh+01HlHw4g3mO9PLcw==";
// SecurityTools asSecTool = new SecurityTools(previousSalt);
// String previousEncryptedValue = "nFVxkzdx+psiUVkCW5NztQ==";
// System.out.println("should decrypt to an expected value - " + asSecTool.decrypt(previousEncryptedValue));
// SYMMETRIC TEST - tests that single requests will encrypt and decrypt successfully
String salt = generateSaltStr(16);
System.out.println("salt - " + salt);
SecurityTools secTool = new SecurityTools(salt);
for (String mess : message) {
result = secTool.encrypt(mess);
result = secTool.decrypt(result);
} catch (Exception e) {
Upvotes: 0