5

I have an app with java and PHP files. The java files send content to the PHP files, and this one send the response to the java file, by HTTP everything. I have the response with JSON format.

I would like to encrypt the information and decode it in the other side, java->php and php->java(this is the most important) but I don't know how to do it.

Edit: I am trying BLOWFISH, here is my code in PHP(crypt the data and send to Java) and Java(get the data and decode it)

PHP

$key = "this is the key";
$crypttext = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $result_json, MCRYPT_MODE_ECB);
echo($crypttext);

JAVA

public String decryptBlowfish(String to_decrypt, String strkey) {
    System.out.println(to_decrypt);
    try {
        SecretKeySpec key = new SecretKeySpec(strkey.getBytes(), "Blowfish");
        Cipher cipher = Cipher.getInstance("Blowfish");
        cipher.init(Cipher.DECRYPT_MODE, key);
        byte[] decrypted = cipher.doFinal(to_decrypt.getBytes());
        return new String(decrypted);
    } catch (Exception e) {
        System.out.println(e.getMessage());
        ;
        return null;
    }
}

System.out.println(decryptBlowfish(result, "this is the key"));

The result when I execute is:

Input length must be multiple of 8 when encrypting with padded cipher

or sometimes

Given final block not properly padded
Improve this question
1
  • 5
    Utterly pointless. Use SSL instead. Commented Jun 20, 2012 at 17:59

3 Answers 3

Reset to default
4

Agreed with the comment that's what SSL is for see here for a client java application that uses SSL Certificate and encryption to connect to an HTTPS/SSL site: http://www.mkyong.com/java/java-https-client-httpsurlconnection-example/ next you might want to have an HTTPS/SSL php server this should help: http://cweiske.de/tagebuch/ssl-client-certificates.htm Or use this Opensource library: http://nanoweb.si.kz/

If the above fails then I don't know, but a last resort would be writing your own, you may never know how secure it really is?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You might want to use the same algorithm for decoding/decrypting namely "blowfish/ecb/nopadding" instead of "blowfish".

private static final String DECRYPTION_ALGORITHM = "blowfish/ecb/nopadding";
private static final String KEY_ALGORITHM = "blowfish";
private static byte[] decrypt(byte[] keyData, byte[] valueData) throws Exception {
    SecretKeySpec keySpec = new SecretKeySpec(keyData, KEY_ALGORITHM);
    Cipher cipher = Cipher.getInstance(DECRYPTION_ALGORITHM);
    cipher.init(Cipher.DECRYPT_MODE, keySpec);
    return cipher.doFinal(valueData);
}
Improve this answer

Comments

-1

If you don't want SSL, which I recommend too, you can try this:

$str = 'hello world'; //your input data
$pass = 'haj83kdj843j'; //something random, the longer the better
$l = strlen($pass);

for ($i=0; $i<strlen($str); $i++)
{
  $str[$i] = chr(ord($str[$i]) + ord($pass[$i % $l]));
}

It is fast and easy to write a coder/encoder in any language you want. The resulting string is a binary string so you might want to convert it using base64_encode or something. Should give quite good security.

Improve this answer

9 Comments

Downvote for: a) poor cipher, b) using PHP code to encode/decode (instead of using native function, like mcrypt, which will be horribly slow, c) reinventing the weel
a) for most cases good enough b) you need to decrypt it in another language. not sure if the algos supported by mcrypt are supported by java. my code is portable and it is fast c) reinventing the wheel is what causes progress because new wheel can be faster or cheaper or whatever. But I agree SSL is better.
@Tom As you mentioned: reinventing the weel makes sense if, and only if, the new weel is better that the old one in at least one aspect. Unfortunatly your solution is worse that mcrypt at every level I can imagine. It's slower (compare your code with mcrypt and 1-5 MiB-long data) and what's most important, it's less safier.
Tom, you may find interesting this Q/A: security.stackexchange.com/questions/2202/…
@user1274103 Mcrypt itself is not a cripher - it's only an interface to encode/decode data using some well-know cripher (here you've got a complete list of supported criphers: php.net/manual/en/mcrypt.ciphers.php ). Just choose one, eg. blowfish or DES, encode the data using mcrypt_encode() and then decode it in Java. But you really should use SSL. It'll make everything much more safe.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.