URL Encryption in Java

Question

URL Encryption in Java

What is the best way to encrypt URLs with parameters in Java?

+6

url encryption

vphomealone Sep 23 '08 at 21:22

source share

7 answers

Neall · Answer 1 · 2008-09-23T21:58:01+0000

The only way to do this is to use SSL / TLS (https). If you use plain old HTTP, the URL will definitely be sent to clear.

Denis · Answer 2 · 2009-06-09T15:42:45+0000

Undoubtedly, almost a comment is simply in java :-), for this simple and ordinary task, I could not find the prepared library, I eventually wrote this ( it was the source ):

import java.net.URLDecoder; import java.net.URLEncoder; import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEParameterSpec; /** * An easy to use class to encrypt and decrypt a string. Just call the simplest * constructor and the needed methods. * */ public class StringEncryptor { private Cipher encryptCipher; private Cipher decryptCipher; private sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder(); private sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder(); final private String charset = "UTF-8"; final private String defaultEncryptionPassword = "PAOSIDUFHQWER98234QWE378AHASDF93HASDF9238HAJSDF923"; final private byte[] defaultSalt = { (byte) 0xa3, (byte) 0x21, (byte) 0x24, (byte) 0x2c, (byte) 0xf2, (byte) 0xd2, (byte) 0x3e, (byte) 0x19 }; /** * The simplest constructor which will use a default password and salt to * encode the string. * * @throws SecurityException */ public StringEncryptor() throws SecurityException { setupEncryptor(defaultEncryptionPassword, defaultSalt); } /** * Dynamic constructor to give own key and salt to it which going to be used * to encrypt and then decrypt the given string. * * @param encryptionPassword * @param salt */ public StringEncryptor(String encryptionPassword, byte[] salt) { setupEncryptor(encryptionPassword, salt); } public void init(char[] pass, byte[] salt, int iterations) throws SecurityException { try { PBEParameterSpec ps = new javax.crypto.spec.PBEParameterSpec(salt, 20); SecretKeyFactory kf = SecretKeyFactory.getInstance("PBEWithMD5AndDES"); SecretKey k = kf.generateSecret(new javax.crypto.spec.PBEKeySpec(pass)); encryptCipher = Cipher.getInstance("PBEWithMD5AndDES/CBC/PKCS5Padding"); encryptCipher.init(Cipher.ENCRYPT_MODE, k, ps); decryptCipher = Cipher.getInstance("PBEWithMD5AndDES/CBC/PKCS5Padding"); decryptCipher.init(Cipher.DECRYPT_MODE, k, ps); } catch (Exception e) { throw new SecurityException("Could not initialize CryptoLibrary: " + e.getMessage()); } } /** * * method to decrypt a string. * * @param str * Description of the Parameter * * @return String the encrypted string. * * @exception SecurityException * Description of the Exception */ public synchronized String encrypt(String str) throws SecurityException { try { byte[] utf8 = str.getBytes(charset); byte[] enc = encryptCipher.doFinal(utf8); return URLEncoder.encode(encoder.encode(enc),charset); } catch (Exception e) { throw new SecurityException("Could not encrypt: " + e.getMessage()); } } /** * * method to encrypting a string. * * @param str * Description of the Parameter * * @return String the encrypted string. * * @exception SecurityException * Description of the Exception */ public synchronized String decrypt(String str) throws SecurityException { try { byte[] dec = decoder.decodeBuffer(URLDecoder.decode(str,charset)); byte[] utf8 = decryptCipher.doFinal(dec); return new String(utf8, charset); } catch (Exception e) { throw new SecurityException("Could not decrypt: " + e.getMessage()); } } private void setupEncryptor(String defaultEncryptionPassword, byte[] salt) { java.security.Security.addProvider(new com.sun.crypto.provider.SunJCE()); char[] pass = defaultEncryptionPassword.toCharArray(); int iterations = 3; init(pass, salt, iterations); }

}

l_39217_l · Answer 3 · 2008-09-23T21:34:53+0000

java security api ( http://java.sun.com/javase/technologies/security/ ) + url encoding

Alexander · Answer 4 · 2008-09-23T21:58:53+0000

It depends on your threat model. For example, if you want to protect the parameters sent by your Java application to your server from an attacker who has access to the communication channel, you should consider communicating with the server via TLS / SSL (i.e., HTTPS in your case) and like it. If you want to protect the settings from an attacker who has access to the machine your Java client application is running on, you are faced with deeper problems.

Oli · Answer 5 · 2008-09-24T15:09:31+0000

If you really cannot use SSL , I would suggest a pre-shared key approach and adding a random iv.

You can use any acceptable symmetric ex encryption method. AES, using a pre-shared key, you communicate out of range (email, phone, etc.).

Then you create a random initialization vector and encrypt your string with this iv and key. Finally, you combine your ciphertext and iv and send this as your parameter. Iv can be reported in clarity without any risk.

Internet friend · Answer 6 · 2008-09-23T21:31:30+0000

Are you sure you do not mean the encode URL?

Coding is available through java.net.URLEncoder.encode .

Dónal boyle · Answer 7 · 2009-06-09T15:50:18+0000

The standard way to encrypt HTTP traffic is to use SSL. ~~However, even through HTTPS, the URL and any parameters in it (i.e. a GET request) will be sent to clear.~~ ~~You will need to use SSL and execute a POST request to properly encrypt your data.~~

As indicated in the comments, the parameters will be encrypted no matter what HTTP method you use if you use an SSL connection.

URL Encryption in Java

More articles: