BlowFish encryption approach
Steps to encrypt string
1 Break query string into separate elements
2 first 24 bytes will be base 64 encoded initialization vector, IV
3 last 24 bytes will be base 64 encoded HMAC key.
4 Middle portion will be base 64, Blowfish encoded payload.
5 Decode the three base 64 encoded elements
6 Decrypt the payload using Blowfish CBS using the decoded IV and Blowfish key.
7 Generate the HMAC of the decrypted payload using the given HMAC key.
8 Compare the base 64 decrypted HMAC value from the last 24 bytes of the qs string with the generated HMAC value.
9 If the values match, continue processing
10 If the values do not match, consider this an error in the delivered payload,
11 log it appropriately, and display the appropriate error messaging to the user.
Example Code for decryption (do the reverse for the encryption process)
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import sun.misc.BASE64Decoder;
String sharedSecretBF=log.getvalue(MigrationDefs.BF_SHARED_KEY);
String sharedSecretHMAC = log.getvalue(MigrationDefs.HMAC_SHARED_KEY);
urlDecodedQS=URLDecoder.decode(encryptedQS, "UTF-8");
log.log(Mpslog.debug, 0, CLASSNAME, METHODNAME, "MIDQ01", "Query String After Decoding:"+urlDecodedQS);
//1. init 3 byte arrays
int payLoadLen = urlDecodedQS.length()-24-24; //48 (first 24 for IV, last 24 for HMAC, middle is for payLoad)
ivArr = new byte[24];
hmacArr = new byte[24];
bfArr = new byte[payLoadLen];
//copy the corresponding bytes from the urlDecodedQS into the initted byte arrays.
System.arraycopy(urlDecodedQS.getBytes(), 0, ivArr, 0, 24);
System.arraycopy(urlDecodedQS.getBytes(), 24, bfArr, 0, payLoadLen);
System.arraycopy(urlDecodedQS.getBytes(), 24+payLoadLen, hmacArr, 0, 24);
/**
* Base 64 decoding
*/
//decode each base64 encoded byted array.
byte[] d_ivArr = new BASE64Decoder().decodeBuffer(new String(ivArr));
byte[] d_hmacArr = new BASE64Decoder().decodeBuffer(new String(hmacArr));
byte[] d_bfArr = new BASE64Decoder().decodeBuffer(new String(bfArr));
/**************************************************
* Decrypt BlowFish encrypted String
**************************************************/
//only get the first 8 bytes of the 16 byte IV, while constructing the spec.
byte[] modIVArr = new byte[8];
System.arraycopy(d_ivArr, 0, modIVArr, 0, modIVArr.length);
//initialize the IvParameterSpec class with the ivArr
IvParameterSpec ivSpec = new IvParameterSpec(modIVArr);
//get the RAW byte array from the shared secret
byte[] raw = MigrationHelper.hexStringToByteArray(sharedSecretBF); //use default encoding
//create the secretkeyspec from the secret key
SecretKeySpec keyspec = new SecretKeySpec(raw, 0, raw.length, "Blowfish");
//use cipher now to get the decrypted key
Cipher cipher = Cipher.getInstance("Blowfish/CBC/PKCS5Padding");
//init the cipher with the keyspec in decrypt mode
cipher.init(Cipher.DECRYPT_MODE, keyspec, ivSpec);
//decrypt the urlDecodedQS using the cipher object
byte[] decrypted = cipher.doFinal(d_bfArr);
//convert byte[] to string using default encoding
dec = new String(decrypted); //clear text pay load.
log.log(Mpslog.info, 0, CLASSNAME, METHODNAME, "MIDQ06", "Decrypted String :"+dec);
/************************************************
* Check Data Intergrity by comparing HMAC
***********************************************/
//now generate HMAC for the payload using the shared key we have.
Mac mac = Mac.getInstance("HmacMD5");
//get the RAW byte array from the shared secret
byte[] hmacRaw = MigrationHelper.hexStringToByteArray(sharedSecretHMAC); //use default encoding
//create the secretkeyspec from the secret key
SecretKeySpec hmackeyspec = new SecretKeySpec(hmacRaw, 0, hmacRaw.length, "HmacMD5");
//init the message authenticate code object
mac.init(hmackeyspec);
//generate the hash message auth code
byte[] genHmacArr = mac.doFinal(decrypted);
//final step is to compare the generated HMAC Arr and the one sent by client
if(!Arrays.equals(d_hmacArr, genHmacArr)){
log.log(Mpslog.debug, 0, CLASSNAME, METHODNAME, "MIDQ07", "Source and Destinations HMAC values are not equal.");
return tmp;
}
Sample Code for Triple DES Encryption
//String base64SharedKey = "gGFhdwXhYdzvHA4I";
String base64SharedKey = "your shared key";
byte[] sharedKeyBytes = this.decoder.decodeBuffer(base64SharedKey);
Key mykey = null;
try {
DESedeKeySpec keyspec = new DESedeKeySpec(sharedKeyBytes);
SecretKeyFactory keyfactory = SecretKeyFactory.getInstance(KeyAlgorithm);
mykey = keyfactory.generateSecret(keyspec);
}
//String base64Iv = "HhjnEIU=";
String base64Iv = "Initialization Vector";
if (base64Iv == null || base64Iv.length() == 0) {
lgr.error(CLASSNAME, METHODNAME, "TDEN15", "IV is null or empty");
return null;
}
byte[] ivBytes = this.decoder.decodeBuffer(base64Iv);
IvParameterSpec ivSpec = new IvParameterSpec(ivBytes);
this.cipher.init(Cipher.ENCRYPT_MODE, mykey, ivSpec);
byte[] inputBytes = input.getBytes(UTF8);
byte[] encryptedBytes = this.cipher.doFinal(inputBytes);
base64EncryptedString = this.encoder.encode(encryptedBytes);
No comments:
Post a Comment