Hi,
I'm not 100% convinced that this is a bug but it might be.
If it is a bug it means that one of the implimementations are violating an RFC
or Java spec.
Anyway, when I use HMAC I do not creat a DES key but a RAW key.
This works on both platforms.
hmac.init (new SecretKeySpec (password.getBytes ("UTF-8"), "RAW"));
Anders
----- Original Message -----
From: "nleiptv" <[email protected]>
To: "Android Security Discussions" <[email protected]>
Sent: Tuesday, June 30, 2009 19:23
Subject: [android-security-discuss] Re: Problem with Crypto APIs between
Android and SUN Java
Hi,
the ks generation code is as follows:
ks = new DESKeySpec(someKeyString.getBytes());
And i checked that the values of ks are the same on both the phone VM
and the SUN VM, because in the past I had problems when String#getBytes
() was used without specifying a proper CharEncoding. Back then
getBytes() executed on a String on a Windows machine gave a different
result than on a Linux machine, since the default character encoding
(which is considered in the no-parameter version of getBytes()) was
different on the two systems.
But this time, that is not the problem, so I am 100% sure that line 3
- kf.generateSecret(ks) - is the problem, since it does not do
anything with the key ks.
Btw. in the post that I linked to, I was responding to myself, because
I found a solution already. Maybe have a look at it again. I even
explain a work around.
I just thought I post a link to it here, since this is the security
list.
Cheers.
On 30 Jun., 18:52, "Anders Rundgren" <[email protected]>
wrote:
> If I understand your bug report correctly only line 2 and 3 are actually
> involved.
> You left out the creation of "ks".
> BTW, I don't see MD5 anywhere.
>
> It would being by looking into the ks stuff.
>
> I hope this was of some help!
>
> Anders
>
> ----- Original Message -----
> From: "nleiptv" <[email protected]>
> To: "Android Security Discussions" <[email protected]>
> Sent: Tuesday, June 30, 2009 17:33
> Subject: [android-security-discuss] Problem with Crypto APIs between Android
> and SUN Java
>
> Hi all,
>
> I posted a message to the Android Developers list about problems with
> the crypto API.
>
> In fact the Bouncy Castle API on the phone seems to have a bug when
> executing the following code:
>
> 1 Mac hmac = Mac.getInstance("HmacSHA256");
> 2 SecretKeyFactory kf = SecretKeyFactory.getInstance("DES");
> 3 Key k = kf.generateSecret(ks);
> 4 hmac.init(k);
> 5 finalKey = hmac.doFinal(s);
>
> The secret key k in line 3 differs when the above code is executed on
> the phone and on a SUN JVM, making it almost impossible to do proper
> authentication between a client on the phone and a server that is run
> on a SUN JVM.
>
> The post is
> here:http://groups.google.com/group/android-developers/browse_thread/threa...
> I think this might be interesting for some here.
