On Tue, Jun 1, 2010 at 7:28 AM, Phillip Tran <[email protected]> wrote:
> Hi All,
>
> We are trying to develop an application on both Java and Android to
> read encrypted data using AES. For both platforms, we are using the
> exact same code to encrypt and decrypt.
>
> Under android, we can encrypt and later decrypt the file, and same
> applies under java. However, if we tried to decrypt under android a
> file that was originally encrypted under java, or vice versa, it does
> not work.
>
the issue is that not all the java crypto libs have been ported to android.
> We generated our keys as below, where rawKeyString is our hidden key:-
> KeyGenerator keyGen = KeyGenerator.getInstance("AES");
> SecureRandom secRand = SecureRandom.getInstance("SHA1PRNG");
> secRand.setSeed(rawKeyString);
> kgen.init(128, sr);
> SecretKey skey = keyGen.generateKey();
> return skey.getEncoded();
>
> We find that the values of skey.getEncoded are different for java and
> android. Also, if we skipped this step altogether and instead, used
> rawKeyString directly to generate an IV and also to call
> cipher.doFinal, then android is able to decrypt a java encrypted file
> and vice versa.
>
> We believe the issue is SecureRandom. The provider for SecureRandom
> under android is Crypto, whereas under java, its Sun. Not sure if this
> is the cause of the problem.
>
You are correct. The setSeed() method supplements the current seed. It
never replaces the current seed. This is done in an effort to
guarantee randomness.
> Has anyone ever come across this and is there a solution for us to
> produce the same results under android/java/linux? If not, would it
> compromise the security of the data if we skipped this step?
>
Depending on what you're doing, you could probably implement your own
cryptoprovider overriding a few methods to make sure the setseed
function behaves as you want it to. But in the meantime, the crypto
implementation in android is quite different than a desktop java
version unfortunately. If anyone knows an easier/better way of of
doing this it would be great to hear.
> PS: When we encrypt/decrypt, we are using the same PC running under
> Linux. Android is running through AVD/Eclipse - so basically the
> hardware is the same, the code is the same.
>
> Thanks for your help.
>
--
David Barrera
Carleton Computer Security Lab
Carleton University, Ottawa, ON. Canada
