PCI requires good security

We generally add security after building the product. It is a serious issue because security is not built into the product and we do not know cryptography well enough to be able to write good code.

This Java class was coded quickly just to encrypt and decrypt using AES 256 without understanding the foundations or key security principles. Even this took a long time and still there are holes in the way I have understood it but it is a good starting point.
It is also a good idea to subscribe to forums like dev-crypto@bouncycastle.org and read. I am planning to write Java code using the GPG API in the Bouncy Castle library.

This code uses the Bouncy Castle Provider but I do not think it is needed. I also used the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction libraries.

package com.encryption;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.security.Security;

import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

import org.bouncycastle.jce.provider.BouncyCastleProvider;

 * A AES 256 encryption routine. 

public class AESKeyEncryption {

	     public static void encrypt( File in,
	    		                     File out,
	    		                     Cipher cipher ) throws Exception { 
			byte[] buf = new byte[1024];

			FileInputStream fin = new FileInputStream( in );
			final CipherOutputStream cout = 
	        	new CipherOutputStream( new FileOutputStream( out ), cipher );
			try {

	            int bytes = 0;
	            /* Assumption is that there is no guarantee that
	             * there will be a full buffer every time. Isn't that
	             * what is called a subtle bug ;-)
	            while ((bytes = fin.read( buf )) >= 0) {
	            	cout.write( buf, 0 , bytes );
	        } catch ( IOException e ) {
	        	System.out.println( "IOException");
	    	   if( null != cout ){
	    	   if( null != fin ){

	     public static void main(String[] args) throws Exception { 

                Security.addProvider(new BouncyCastleProvider());

                 * Supposed to be picked up from the database
                 * and salted if possible.  It is a 32 byte(256-bit) Key
                String key ="11112444123123222444200012311111";
                byte[] raw = key.getBytes("UTF8");
                SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES"); 
                System.out.println("SecretKeySpec = " + skeySpec.toString());

		       // Instantiate the cipher 
		       Cipher cipher = Cipher.getInstance ("AES/CBC/PKCS5Padding", "BC");
		       byte iv[] = new byte[16]; //cipher.getIV(); 
		       IvParameterSpec dps = new IvParameterSpec(iv); 
		       cipher.init(Cipher.ENCRYPT_MODE , skeySpec, dps);
		        * File Encryption. Use Platform independent File separator API.
		       File in = new File( "D:\\tools\\Project Research\\PCI\\Clear Text.txt");
		       File out = new File( "D:\\tools\\Project Research\\PCI\\Cipher Text.txt");
		       encrypt( in,
	                    cipher );	 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: