3

I'm a j2me programmer. My project is related to sending data to server via HTTP method. I encrypt the data in j2me side using Bouncy Castle (Triple DES). I also maintain the server side coding.

Then in server side received data is decrypted and stored in database.

Here I assuming the key statically in coding itself. In server side and j2me side I use the same key value.

But here is one problem based on requirement: the key is randomly generated not known to user.

In this case if in j2me part encrypt the data with some key then how the server decrypt without knowing the key?

Or there is any other mechanism is there so please help to solve the issues.

Thanks and regards, Sivakumar.J

SIVAKUMAR.J
  • 31
  • 1
  • 3
    I think that some form of [Public Key Encryption/Asymmetrical Encryption](http://en.wikipedia.org/wiki/Public-key_cryptography) is desired: "... unlike symmetric key algorithms, a public key algorithm does not require a secure initial exchange of one or more secret keys between the sender and receiver ...". –  May 20 '11 at 04:53
  • Use public key cryptography to exchange a session key of some sort which is a symmetric key (your 3DES key). – Ranhiru Jude Cooray Jul 04 '11 at 02:09

1 Answers1

1

There are several ways to achieve your goal.

One way to do this is using some form of Key Exchange/Agreement protocol, e.g. a Diffie-Hellman-style key exchange (cf. http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange). As you are in a J2ME environment you would probably want to use a recent implementation using Elliptic Curves as they are more gentle on your hardware requirements.

Another way to achieve your goal would be an implementation of a secure Key Transport protocol using public key certificates but I wouldn't recommend inventing your own security protocol, rather use SSL/TLS which was specifically designed for these cases.

Based on your requirements you would either need to use SSL in its server-authenticated ("one-way SSL") or in its mutually authenticated form ("two-way SSL"). Consult your web server's documentation with regard to setting up SSL properly.

Once you set up the server it suffices to create the symmetric encryption key on the client as it is currently done and then sending the encryption key to the server using the newly set up TLS connection.

The advantage of the Diffie-Hellman solution would be that it does not necessarily involve certificates but to use it securely you would need to implement some form of Key Derivation Function (cf. http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf) which is again non-trivial. Therefore I would recommend using the second approach even if it means more configuration overhead.

emboss
  • 38,880
  • 7
  • 101
  • 108