1

I'm trying to implement the javax.crypto encryption between my apps (through intnets). I follow this (accepted answer): https://stackoverflow.com/questions/4319496/how-to-encrypt-and-decrypt-data-in-java .The problem is as I understood I need to have the same SecretKeySpec key in both of my apps in order to encrypt/decrypt the data. I have no idea how to export it (as a String or anything) and then hardcode it in both of my apps.

Community
  • 1
  • 1
XorOrNor
  • 8,868
  • 12
  • 48
  • 81
  • Why do you want to hardcode it? Java can be decompiled (to some extent) into human-readable format. Any hardcoded secret key for crypto wouldn't be secure. (To my understanding) – apnorton Dec 02 '13 at 14:32
  • I always run ProGuard on my apps so I hope this adds some difficulty for decompilation. This is my first touch with encryption in practice so I don't know how to manage these keys... – XorOrNor Dec 02 '13 at 14:37
  • 1
    You could use Diffie-Hellman to securely exchange a secret key every time your apps have to communicate to each other (http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange). Java supports this standard out of the box. – isnot2bad Dec 02 '13 at 14:48

1 Answers1

2

You can export a SecretKey using the getEncoded() method. This returns a byte array, which you could encode to a string, for example using base 64 encoding. The SecretKeySpec object can be recreated from this encoded byte array.

Just to give you a better idea, not tested:

Initial generation and export

import org.apache.commons.codec.binary.Base64;

// "AES" is the key generation algorith, you might want to use a different one.
KeyGenerator kg = KeyGenerator.getInstance("AES"); 

// 256-bit key, you may want more or fewer bits.
kg.init(256);

SecretKey key = kg.generateKey();
byte[] keyBytes = key.getEncoded();

// Encode to a String, e.g. base 64 encoded
String encodedKey = new String(Base64.encodeBase64(keyBytes), "UTF-8");

Import/re-creation

// Base 64 decode
byte[] keyBytes = Base64.decodeBase64(encodedKey.getBytes("UTF-8"));

// Need to put the same key generation algorithm in here:
SecretKeySpec keySpec = new SecretKeySpec(keyBytes, "AES");
Max Spencer
  • 1,701
  • 2
  • 12
  • 21
  • Okay, and is it possible to recreate a key having only the passphrase? – XorOrNor Dec 02 '13 at 15:12
  • Well, you can potentially derive a cryptographic key from a passphrase. Can you describe in detail what you're trying to do? – Max Spencer Dec 02 '13 at 15:40
  • I just want to "have" this shared key accessible in both of my apps in oreder to encrypt/decrypt messages. – XorOrNor Dec 02 '13 at 15:45
  • How does the passphrase come into it? – Max Spencer Dec 02 '13 at 15:58
  • 1
    See the accepted answer in this question: http://stackoverflow.com/questions/4319496/how-to-encrypt-and-decrypt-data-in-java "Symmetric Encryption" section. – XorOrNor Dec 02 '13 at 16:00
  • 1
    Ah okay, you can just use their method for getting the `SecretKeySpec` from the passphrase only. In that case what do you need to export the `SecretKeySpec` for? If you need to, my method should work fine as `SecretKeySpec` implements the `SecretKey` interface and has the `getEncoded()` method. – Max Spencer Dec 02 '13 at 17:39
  • Thanks now it's clear. Now I know that I've asked this question wrong. It simpler then I though. – XorOrNor Dec 02 '13 at 20:11