0

I have a GWT client talking to a perl server via JSON over HTTP. It works great, but there are some privacy issues and I need to encrypt the transactions. After doing a bit a research it seems as though the easiest/best supported option is to user TripleDES, with gwt-crypto for the client and Crypt:CBC for the server. The problem is I can't figure out how to use the same key for both ends, because how you set them up appears to be completely different. On the java/gwt side I am doing the following:

_cipher.setKey(Hex.decode("dc7c62768f0d9d514373d520438ff8f8")); // 16 bytes

and on the perl side I am doing:

my $cipher = Crypt::CBC->new( -key     => 'dc7c62768f0d9d514373d520438ff8f8',
                -cipher  => 'DES_EDE3');

I have tried various key schemes, but it seems if I make gwt happy then perl isn't, and vica versa. For example, as far as I can tell the following perl should work, but I get an "Invalid key" error when I try it:

my $iv = Crypt::CBC->random_bytes(8);
my $key = pack("H*", 'dc7c62768f0d9d514373d520438ff8f8');
my $cipher = Crypt::CBC->new( -key     => $key,
            -literal_key => 1,
            -keysize => 16,
            -header => 'none',
            -padding => 'standard',
            -iv     => $iv,
            -cipher  => 'DES_EDE3'
);

So, I think I could eventually figure out the coding issues, what I am having trouble it jumping through the hoops to tell each side what key to use. Any help is greatly appreciated.

James B
  • 51
  • 4
  • 2
    Is there an architectural reason that the privacy afforded by simlply sending the JSON over HTTPS (SSL) is insufficient? – David-SkyMesh Jul 30 '13 at 06:31
  • No, there isn't a hard requirement to encrypt the transactions with anything beyond HTTPS. I just wanted an additional layer to give me a warm fuzzy and brag about. – James B Aug 01 '13 at 23:20
  • Oh, I forgot to mention that I finally figured out that I needed to use a 24 byte key, and that got me a little farther, but I eventually gave up due to the hashing issue. – James B Aug 01 '13 at 23:28

1 Answers1

0

It turns out that how the gwt-crypto implements the key handling is incompatible with the way Crypt::DES_EDE3 does it. Something to do with a the hashing mechanism, so there goes that idea. I've exceeded my time budget on this, but if I ever give it another go I am going to try AES or plain old DES. I would rather use DES because I figure it would be a much lighter load and sufficient for my needs, but gwt-crypto doesn't have the greatest documentation, and it is different enough from what it was based on (bouncycastle) that the bouncycastle examples I have found don't translate.

James B
  • 51
  • 4