I'm trying to develop my own encryption algorithm for J2ME mobile application with MIDP2.0.
But I don't have any experience in encryption algorithm, Guys please give ideas for me.
I would like to encrypt document and I need to maintain that document in resource directory, Thats why I need encryption from hacking others.
Don't. Crypto is highly specialised, and the smallest mistake can result in a weak cypher. There are plenty of good crypto algorithms out there, such as AES, Salsa20 and others. Use one of them. That also saves you the trouble of writing your own code since there are libraries available.
Read Bruce Schneier on amateur cryptography: Memo to the Amateur Cipher Designer and when you have read it, drop any thoughts of designing your own cypher and use one of the standard cyphers. AES-CTR + HMAC or AES-GCM are my personal preferences, YMMV.
a) I completely agree with rossum. Don't write your own encryption. It's really bad idea (one wrong step and it won't be secure at all).
b) I believe there is Bouncy castle encryption library (http://www.bouncycastle.org/latest_releases.html) which supports J2ME.
c) I recommend to read following article which gives information and examples for encryption/decryption of data on j2me (http://www.ibm.com/developerworks/java/tutorials/wi-encrypt/index.html)
Related
I am writing a site that needs to use multiple encryptions through out the entire process. I started to use CryptoJS v3.1.2 vSHA3 (512) and am able to encrypt the data no problem. Where I'm having trouble is decrypting the data once it's been encrypted. I have been searching the web for the last week or 2 and have only been able to find ways to encrypt the data but no way to decrypt it. If there is no way to decrypt the data, I will have to look for a different encryption. Any help here would be gratefully appreciated.
SHA3 is a hash function, and hash functions are not reversible -- that is, not decryptable. You may instead need a symmetric algorithm such as AES.
That being said, getting the nuances of cryptography right to avoid vulnerabilities is notoriously hard even for veterans, much less someone new to these concepts. Try very, very, VERY hard to rely on standard and ready-made solutions. Use things like HTTPS, for example, or your database's built-in security features.
I have a Java application (an ESB - Enterprise Service Bus) which deals with customer sensitive data and have a requirement of supporting Data encryption at rest in order to prevent data abuse.
The application stores customer data for processing on the file system and application interacts with it through java.io.File API. So basically, I need to encrypt the file before it is persisted on the file system by the application and then decrypt it before application reads it so that it can be parsed and processed.
Are there any good frameworks or libraries that can help me implement Data encryption at rest? I am planning to use PGP encryption/decryption for implementing Data encryption at rest.
I am looking for best and recommended approach for implementing Data encryption at rest within my Java application and any help shall be appreciated.
Why on Earth would you think pgp is the right tool for this? Seems to me that you only need a symmetric key solution, so pgp feels like the wrong answer.
Cryptography in Java is a minefield. Easy to do things wrong, hard to do things right.
Having said that, you have a better chance to not screwing up if you use BouncyCastle rather than something else. They have example code that shows you how to do various operations.
For encrypting data at rest, I recommend you use AES in either CBC mode or CTR mode. If using CBC mode, make sure you choose your IV in a cryptographic secure way (unpredictable). Also, never re-use an IV for any mode of operation.
You should also consider whether you need message integrity. General guidance about symmetric encryption here.
Even though people often get crypto wrong, the bigger problem is key management. That's a whole new can of worms (and don't be fooled into thinking pgp provides a solution to this: all it does is shifts the problem to somewhere else).
I am working on a remote backup project in C...
I want to send data and compress as well as encrypt the data.
However I am confused whether to compress first or encrypt first!
What will be better?:
Compress the data and then encrypt it
Encrypt the data and then compress it
Also I am going to use zlib for compression.
And I am wondering which encryption lib to use...
Some people say libgcrypt is good.
Suggestion for good encryption libraries(very easy to use) will be appreciated... :)
or is there anything that does both of the jobs?
Thanks!
You should compress before encrypting.
Any good encryption algorithm will produce random-like data that will not compress well.
My favorite easy to write, understand and use algorithm is blowfish. There are a few implementations at that link in a few liens of code.
It's roughly the same level of security as something like AES/DES, ie pretty much unbreakable. As with all crypto the real vulnerability is going to be you and your users!
Of the two hashing algorithms, SHA and MD5, which one would be the easiest to implement in .NET MVC 3. By easy, I mean the least amount of overhead and time to implement.
I know the argument will be that with security it shouldn't matter, but I am still interested in which one it would be. And if there is another highly used one that is easier, which is it?
I am new to working with hashing algorithms for site authentication, so I want to make sure I do my research before I go at it.
Also, if .NET or MVC has built in support for anything, what would it be?
Thank you.
See System.Security.Cryptography.MD5, and System.Security.Cryptography.SHA256.
A list of implemented hashing algorithms in the .NET framework can be found here.
You should also check out this blog post for a few tips about rolling your own authentication scheme.
Bcrypt is often a good choice for hashing passwords, and there's a .NET port of it here. However, I'm not sure if there has been any outside code review on this project, so it may be worth asking around.
Excellent posting about why bcrypt is the preferred method for storing passwords: http://codahale.com/how-to-safely-store-a-password/.
In regards to least overhead, that should really never be a concern. I would never want my passwords stored using the weakest hashing algorithm because a website or service needed "less overhead".
As stated in the comments, SHA and MD5 is not encryption. If you need one-way hashes, though, one of the SHA variants is the safest.
If you by "Least overhead" mean which one is easiest to implement in code, they are the same. In .NET SHA and MD5 share the same base class HashAlgorithm, which you can program against.
If you by "Least overhead" mean computing time or space consumption, MD5 is the winner. But bear in mind that MD5 is a lot weaker than any of the SHA variants, and for any practical applications today, neither time nor space is likely to matter.
I prefer not to store passwords on my sites at all - either with hashes and salts or otherwise. If you use an OpenID provider or a variant such as the new BrowserID from Mozilla Labs, I believe you may even be better off.
I am looking for a programmatic way to generate consumer key/secrets for HMAC-SHA1 to be used by clients invoking our API over OAuth. Any pointers to existing implementations would be highly helpful.
Secrets are best when generated from random data. That way there is no external data which could help an attacker deduce or guess part or the entire key. Of course, it depends on how much protection your secret key needs. Java includes some random number generators in java.util.Random (since JDK1.0). If you don't have backward compatibility issues, Java 6 has java.security.SecureRandom which meets FIPS 140-2 requirements. The Java libraries are not truly random, but it is probably good enough for most applications. If you need better random data, you should go for a hardware-based random generator.