AES encryption / decryption between C # (encryption) and Java (decryption)

Question

AES encryption / decryption between C # (encryption) and Java (decryption)

I have a C # application to call a Java web service to verify a user password. I would like the C # application to encrypt the password, and then the Java web service decrypt the password. I have Java side code (decryption code), but I can not understand C # code to encrypt the code.

Here is my java code ...

public void validateUserPassword(String encryptedPassword) { String algorithm = "AES"; SecretKeySpec keySpec = null; byte[] key = "<==OMGWTFBBQ!==>".getBytes(); Cipher cipher = null; cipher = Cipher.getInstance(algorithm); keySpec = new SecretKeySpec(key, algorithm); byte[] encryptionBytes = new sun.misc.BASE64Decoder().decodeBuffer(encryptedPassword); cipher.init(Cipher.DECRYPT_MODE, keySpec); byte[] recoveredBytes = cipher.doFinal(encryptionBytes); String recovered = new String(recoveredBytes); log.info("Encrypted password: " + encryptedPassword); log.info("Dencrypted password: " + recovered); }

Here is what I found for encryption using C #, but it does not create the same encrypion string as my Java function, so the Java web service cannot decrypt it.

 private void btnEncrypt_Click(object sender, EventArgs e) { string PlainText = "testing"; string Password = "<==OMGWTFBBQ!==>"; string Salt = "Kosher"; string HashAlgorithm = "SHA1"; int PasswordIterations = 2; string InitialVector = "OFRna73m*aze01xY"; int KeySize = 256; string encryptedPassword; byte[] InitialVectorBytes = Encoding.ASCII.GetBytes(InitialVector); byte[] SaltValueBytes = Encoding.ASCII.GetBytes(Salt); byte[] PlainTextBytes = Encoding.UTF8.GetBytes(PlainText); PasswordDeriveBytes DerivedPassword = new PasswordDeriveBytes(Password, SaltValueBytes, HashAlgorithm, PasswordIterations); byte[] KeyBytes = DerivedPassword.GetBytes(KeySize / 8); RijndaelManaged SymmetricKey = new RijndaelManaged(); SymmetricKey.Mode = CipherMode.CBC; byte[] CipherTextBytes = null; using (ICryptoTransform Encryptor = SymmetricKey.CreateEncryptor(KeyBytes, InitialVectorBytes)) { using (MemoryStream MemStream = new MemoryStream()) { using (CryptoStream CryptoStream = new CryptoStream(MemStream, Encryptor, CryptoStreamMode.Write)) { CryptoStream.Write(PlainTextBytes, 0, PlainTextBytes.Length); CryptoStream.FlushFinalBlock(); CipherTextBytes = MemStream.ToArray(); MemStream.Close(); CryptoStream.Close(); } } } SymmetricKey.Clear(); encryptedPassword = Convert.ToBase64String(CipherTextBytes); MessageBox.Show("Encrypted password: " + encryptedPassword); }

I don't mind changing the way my Java web service is decrypted so that it works with my C # application.

+4

java c # encryption aes

Steve b Oct 31 '11 at 18:05

source share

4 answers

In C #, you use the DeriveBytes function to get your password key, while in Java you use the password directly as a key.

So you obviously have a different key on both sides. Do not do this, use the same key output function on both sides.

+4

Paŭlo Ebermann Oct 31 '11 at 19:03

source share

"You are doing it wrong."

If you need to send a passphrase (if, for example, the java system needs to pass the passphrase to the other side), simply use SSL between your C # application and the Java application and forget about adding additional encryption. Most users will eventually encounter one or more implementation errors that will leave the system vulnerable.

If the Java side only needs to check if the C # client is allowed to access it, this is most likely a better way than sending clear-code passphrases - depending on what you need to allow. This is also an area in which you should strive to use tried and tested code, as it is inconvenient to spoil easily, even if you have a decent understanding of cryptographic fundamentals.

Getting the AES connection between Java and C # working (i.e. the answer to your as-is question) is quite an interesting task (which I will let others handle :)), but if you want security, use a different method.

+3

snemarch Oct 31 '11 at 19:41

source share

Generally speaking, passwords are hashed, not encrypted (for example, using one of the SHA-2 algorithms, for example SHA-256), so if I understand your requirement correctly, then I will have to disagree with your technical approach in this case.

I agree with another user who suggested using a well-known secure exchange method (e.g. SSL / TLS) for secure communication between endpoints.

+1

Garrett Oct 31 '11 at 20:35

source share

Steve b · Accepted Answer · 2011-11-02T18:30:26+0000

I am trying to avoid using SSL because I have nothing to do in this direction for just one method call.

In any case, I found this site, and the code works beautifully. I can encrypt / hash the user password on the C # side and return it to the Java side.

http://zenu.wordpress.com/2011/09/21/aes-128bit-cross-platform-java-and-c-encryption-compatibility/

There is this other site that also has an example that works great ...

http://blogs.msdn.com/b/dotnetinterop/archive/2005/01/24/java-and-net-aes-crypto-interop.aspx

AES encryption / decryption between C # (encryption) and Java (decryption)

More articles: