2

I am looking for a Java based encryption library with support for strong encryption.

I am aware of the Java Cryptography Extension but to use it I would like to access the source code first, modify those, compile them and use my own version of them ( i do not really care about open source licenses )

Alternatively, I am wondering if there are any good, strong Java based encryption libraries that does not rely or use anything from the JDK crypto libraries. Here, I am also interested in getting access to the source files to compile them myself.

As you can see, I am trying to avoid any man in the middle attacks, including modified versions of the JVM, or modified third party libraries. It is just an obsession.

Thanks!

mjs
  • 21,431
  • 31
  • 118
  • 200
  • 2
    Don't make your own, please! – Tom Mar 14 '13 at 15:40
  • I'm not sure if [Jasypt](http://www.jasypt.org/) uses Java's libs, but take a look. – Sotirios Delimanolis Mar 14 '13 at 15:44
  • @TomCammann why not? I am not going to make my own, just repackage an existing one, thats all :) – mjs Mar 14 '13 at 16:08
  • Tom is right. Crypto code is very fragile. Even a small change can render it vulnerable to a side channel attack. Do you know how to write code that can avoid a timing attack? Some versions of AES are vulnerable while others are not. Do you know the difference? – rossum Mar 14 '13 at 16:46
  • @rossum, not really, but I am merely thinking of changing the package names, not the actual implementation. – mjs Mar 14 '13 at 17:03
  • @SotiriosDelimanolis Thanks, I will definitely have a look at that – mjs Mar 14 '13 at 17:04
  • An attacker who can modify the JVM, can just as easily put a breakpoint on your custom AES function and copy out the key. – CodesInChaos Mar 16 '13 at 16:31

2 Answers2

2

I'm not sure making your own library is a good idea, but if you really want to, you should look at bouncycastle.

obourgain
  • 8,856
  • 6
  • 42
  • 57
  • There are a couple of outstanding issues, probably nothing big, but still: http://www.bouncycastle.org/jira/secure/BrowseProject.jspa But I will look into getting hold of the source code and see what I can do with that. Do you know anything about BouncyCastle vs Cryptix in terms of how strong encryption for AES or RSA they provide? – mjs Mar 14 '13 at 15:49
  • http://www.bouncycastle.org/jira/browse/BJB?report=com.atlassian.jira.plugin.system.project:openissues-panel http://www.bouncycastle.org/jira/browse/BJA?report=com.atlassian.jira.plugin.system.project:openissues-panel – mjs Mar 14 '13 at 17:05
  • Sorry, I don't know Cryptix, I can't compare. – obourgain Mar 14 '13 at 17:21
0

Have you tried Cryptix? It's a free, source available, compatible with JCA library, so you can install it as only security provider.

Cromax
  • 1,822
  • 1
  • 23
  • 35
  • I Compatible with JCA? Meaning that it requires JCA? I am trying no to have to rely on anyone... at the bottom of the cryptix site: "..the Cryptix Foundation ltd does not exist anymore, it is unable to get a renewed certificate. There will thus not be a new release of Cryptix JCE" It requires a certificate from SUN/Oracle ? It seems a bit outdated by now.. – mjs Mar 14 '13 at 15:44
  • AFAIK Cryptix is not developed since '05, but I am not quite sure, what certificate you're talking about. In '04 I was in need of strong cryptography and it wasn't available with standard Java , so I adopted Cryptix' source code for my purposes. What do you mean by "it requires JCA"? Cryptix uses it's own routines, so you do not rely on secure algorithms written by Oracle/Sun. (AFAIK you can use it independently). You can, however install it in JRE as ONLY security provider, so JCA merely gives a standard way of accessing stuff, but everything is done by Cryptix on its own. – Cromax Mar 14 '13 at 15:52
  • At the bottom of: http://www.cryptix.org/ you see the quote I made. Ok, so are you saying that by using the certificate I am able to switch the SUN crypto implementation to use this one instead, but for that it needs the certificate, but if I don't want to, then I can use it as a stand alone? Any link to the source code? Which one is it? There are a couple of download options. Thanks – mjs Mar 14 '13 at 16:16
  • Mmm, you puzzled me... It's hard to say (for me) what will happen if the certificate is outdated. And as to libraries --- it depends on what you need. I started with cryptix-openpgp-provider.jar (it must be in Cryptix OpenPGP archive) and then I followed the dependencies. I end up with (additionally) with: certpath-api-compat.jar, cryptix-jce-api.jar, cryptix-jce-provider.jar, cryptix-message-api.jar, cryptix-pki-api.jar. Another thing is, you need to change local_policy.jar and US_export_policy.jar to USJP versions and edit java.security to define JCA providers (jre/security). – Cromax Mar 14 '13 at 16:39
  • You also need to put these jars in jre/ext directory. (Unless you want to use independently, as you said). – Cromax Mar 14 '13 at 16:42
  • I might be stupid here, but why do I need the export policy stuff? It should be a matter of having access to plain java classes with the AES implementation. I thought it was the JCE that required the export policy rules. I do not want to change the JDK security provider, I just want another one, on the side that I intend to use on its own. – mjs Mar 14 '13 at 17:01