Encrypt/decrypt AES 256, vorsalt error
Hiyas.
So I'm trying to get encrypt/decrypt to work for AES 256, with both 32byte key and 32byte IVorSalt. (Yup-new java security files v6 installed)
'IF' I 32byte key but dont use a IV at all, I get a nice looking AES 256 result. (I can tell it's AES 256 by looking the length of the encrypted string)
'IF' I use a 32byte key and 16bit salt, I get a AES 128 result (I know- as per docs theyre both s'posed to the same size, but the docs are wrong).
But when i switch to using both a 32byte key AND a 32byte salt I get the error below.
An error occurred while trying to encrypt or decrypt your input string: Bad parameters: invalid IvParameterSpec: com.rsa.jsafe.crypto.JSAFE_IVException: Invalid IV length. Should be 16.
Has anyone 'EVER' gotten encrypt to work for them using AES 256 32byte key and 32byte salt? Is this a bug in CF? Or Java? Or I am doing something wrong?
<!--- ////////////////////////////////////////////////////////////////////////// Here's the Code ///////////////////////////////////////////////////////////////////////// --->
<cfset theAlgorithm = "Rijndael/CBC/PKCS5Padding" />
<cfset gKey = "hzj+1o52d9N04JRsj3vTu09Q8jcX+fNmeyQZSDlZA5w="><!--- these 2 are the same --->
<!---<cfset gKey = ToBase64(BinaryDecode("8738fed68e7677d374e0946c8f7bd3bb4f50f23717f9f3667b2419483959039c", "Hex"))>--->
<cfset theIV = BinaryDecode("7fe8585328e9ac7b7fe8585328e9ac7b7fe8585328e9ac7b7fe8585328e9ac7b","hex")>
<!---<cfset theIV128 = BinaryDecode("7fe8585328e9ac7b7fe8585328e9ac7b","hex")>--->
<cffunction name="DoEncrypt" access="public" returntype="string" hint="Fires when the application is first created.">
<cfargument name="szToEncrypt" type="string" required="true"/>
<cfset secretkey = gKey>
<cfset szReturn=encrypt(szToEncrypt, secretkey, theAlgorithm, "Base64", theIV)>
<cfreturn szReturn>
</cffunction>
<cffunction name="DoDecrypt" access="public" returntype="string" hint="Fires when the application is first created.">
<cfargument name="szToDecrypt" type="string" required="true"/>
<cfset secretkey = gKey>
<cfset szReturn=decrypt(szToDecrypt, secretkey, theAlgorithm, "Base64",theIV)>
<cfreturn szReturn>
</cffunction>
<cfset szStart = form["toencrypt"]>
<cfset szStart = "Test me!">
<cfset szEnc = DoEncrypt(szStart)>
<cfset szDec = DoDecrypt(szEnc)>
<cfoutput>#szEnc# #szDec#</cfoutput>
Hi edevmachine,
This Bouncy Castle Encryption CFC supports Rijndael w/ 256-bit block size. (big thanks to Jason here and all who helped w/ that, btw!)
Example:
<cfscript>
BouncyCastleCFC = new path.to.BouncyCastle();
string = "ColdFusion Rocks!";
key = binaryEncode(binaryDecode(generateSecretKey("Rijndael", 256), "base64"), "hex");//the CFC takes hex'd key
ivSalt = binaryEncode(binaryDecode(generateSecretKey("Rijndael", 256), "base64"), "hex");//the CFC takes hex'd ivSalt
encrypted = BouncyCastleCFC.doEncrypt(string, key, ivSalt);
writeOutput(BouncyCastleCFC.doDecrypt(encrypted, key, ivSalt));
</cfscript>
Related links for anyone interested in adding 256-bit block size Rijndael support into ColdFusion:
- An explanation of how to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files into ColdFusion
- An explanation of how to install the Bouncy Castle Crypto package into ColdFusion (near bottom, under the "Installing additional security providers" heading)
- An explanation of how to connect the Bouncy Castle classes together
- Bouncy Castle's doc for the Rijndael Engine
And here is the full CFC as posted in the StackOverflow discussion:
<cfcomponent displayname="Bounce Castle Encryption Component" hint="This provides bouncy castle encryption services" output="false">
<cffunction name="createRijndaelBlockCipher" access="private">
<cfargument name="key" type="string" required="true" >
<cfargument name="ivSalt" type="string" required="true" >
<cfargument name="bEncrypt" type="boolean" required="false" default="1">
<cfargument name="blocksize" type="numeric" required="false" default=256>
<cfscript>
// Create a block cipher for Rijndael
var cryptEngine = createObject("java", "org.bouncycastle.crypto.engines.RijndaelEngine").init(arguments.blocksize);
// Create a Block Cipher in CBC mode
var blockCipher = createObject("java", "org.bouncycastle.crypto.modes.CBCBlockCipher").init(cryptEngine);
// Create Padding - Zero Byte Padding is apparently PHP compatible.
var zbPadding = CreateObject('java', 'org.bouncycastle.crypto.paddings.ZeroBytePadding').init();
// Create a JCE Cipher from the Block Cipher
var cipher = createObject("java", "org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher").init(blockCipher,zbPadding);
// Create the key params for the cipher
var binkey = binarydecode(arguments.key,"hex");
var keyParams = createObject("java", "org.bouncycastle.crypto.params.KeyParameter").init(BinKey);
var binIVSalt = Binarydecode(ivSalt,"hex");
var ivParams = createObject("java", "org.bouncycastle.crypto.params.ParametersWithIV").init(keyParams, binIVSalt);
cipher.init(javaCast("boolean",arguments.bEncrypt),ivParams);
return cipher;
</cfscript>
</cffunction>
<cffunction name="doEncrypt" access="public" returntype="string">
<cfargument name="message" type="string" required="true">
<cfargument name="key" type="string" required="true">
<cfargument name="ivSalt" type="string" required="true">
<cfscript>
var cipher = createRijndaelBlockCipher(key=arguments.key,ivSalt=arguments.ivSalt);
var byteMessage = arguments.message.getBytes();
var outArray = getByteArray(cipher.getOutputSize(arrayLen(byteMessage)));
var bufferLength = cipher.processBytes(byteMessage, 0, arrayLen(byteMessage), outArray, 0);
var cipherText = cipher.doFinal(outArray,bufferLength);
return toBase64(outArray);
</cfscript>
</cffunction>
<cffunction name="doDecrypt" access="public" returntype="string">
<cfargument name="message" type="string" required="true">
<cfargument name="key" type="string" required="true">
<cfargument name="ivSalt" type="string" required="true">
<cfscript>
var cipher = createRijndaelBlockCipher(key=arguments.key,ivSalt=arguments.ivSalt,bEncrypt=false);
var byteMessage = toBinary(arguments.message);
var outArray = getByteArray(cipher.getOutputSize(arrayLen(byteMessage)));
var bufferLength = cipher.processBytes(byteMessage, 0, arrayLen(byteMessage), outArray, 0);
var originalText = cipher.doFinal(outArray,bufferLength);
return createObject("java", "java.lang.String").init(outArray);
</cfscript>
</cffunction>
<cfscript>
function getByteArray(someLength)
byteClass = createObject("java", "java.lang.Byte").TYPE;
return createObject("java","java.lang.reflect.Array").newInstance(byteClass, someLength);
</cfscript>
</cfcomponent>
Thanks!,
-Aaron
Similar Messages
-
CF9 Encrypt with AES 256-bit, example anyone?
Hi there. I'm looking for a working example of the Encrypt method using the AES 256 bit key. I think that I have the Unlimited Strength Jurisdiction Policy Files enabled. And I'm still getting the CFError,
The key specified is not a valid key for this encryption: Illegal key size.
Now i hit the wall, can't get it. What wrong am i doing? How can I verify that the policy files are installed and accessible to my cf file? Any help is greatly appreciated.
<cfset thePlainText = "Is this working for me?" />
Generate Secret Key (128): <cfset AES128 = "#generatesecretkey('AES',128)#" /> <cfdump var="#AES128#"><BR>
Generate Secret Key (192): <cfset AES192 = "#generatesecretkey('AES',192)#" /> <cfdump var="#AES192#"><BR>
Generate Secret Key (256): <cfset AES256 = "#generatesecretkey('AES',256)#" /> <cfdump var="#AES256#"><BR><BR>
<cfset theKey = AES256 />
<cfset theAlgorithm = "AES/CBC/PKCS5Padding" />
<cfset theEncoding = "base64" />
<cfset theIV = BinaryDecode("6d795465737449566f7253616c7431323538704c6173745f", "hex") />
<cfset encryptedString = encrypt(thePlainText, theKey, theAlgorithm, theEncoding, theIV) />
<!--- Display results --->
<cfset keyLengthInBits = arrayLen(BinaryDecode(theKey, "base64")) * 8 />
<cfset ivLengthInBits = arrayLen(theIV) * 8 />
<cfdump var="#variables#" label="AES/CBC/PKCS5Padding Results" />
<cfabort>Verison 10 is different from 9 because they run on different servlet containers. CF 10 uses Tomcat, CF 9 uses JRun, so things are in different places.
\\ColdFusion10\jre\lib\security seems like the correct locaiton for the policy files to me. I actually gave you the wrong locations in my original post (sorry about that). According to the installation instructions they belong in <java-home>\lib\security, which is looks like you've found.
So something else is wrong. Here are some things to look at, in no particular order:
1. Are you using a JVM other than the Java 1.6 that comes with CF10?
2. Did you restart Tomcat after coping the files in?
3. Note that I keep saying FILES, did you copy BOTH of th .jar files from the JCE folder you unzipped into the security directory. It should have prompted you to overwrite existing files.
4. Did you try unzipping the files and copying them in again, on the chance that they did not overwrite the originals?
Sorry, I don't have CF10 installed to give this a try. But I have no reason to believe that it would not work in 10. It's all just JCA/JCE on the underlying JAVA, and I have heard no reports from anyone else that it doesn't work.
Jason -
One way encryption, decrypting not encrypting ASA5505
Hello All,
I've been troubleshooting this issue and was hoping to get some more feed back and maybe point out an error if I'm not seeing it. I recently setup a remote access VPN on Cisco ASA 5505. Everything appeared to work at first and the IPsec client connect. However if you look at the packets being encrypted an decrypted on the Client side only the encrypted counter is incrementing and the decrypted stays at 0. The opposite is true on the ASA side the decrypted continures to increment and the encrypted stays at zero. My first thought was maybe a mis configured NAT 0 statement or not defining the correct Split tunnel ACL but I have verified that. I will post my config so maybe someone can point on the error. The asa version 8.2(5), I'll also list a packet-tracer I did from an inside host to VPN IP.
Any help will be greatly appreacted, thanks in advance!
ASA Version 8.2(5)
terminal width 511
hostname xyz
domain-name xyz.local
no names
dns-guard
interface Ethernet0/0
description ISP Connection
switchport access vlan 900
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 20
interface Ethernet0/3
switchport access vlan 30
interface Ethernet0/4
switchport access vlan 40
interface Ethernet0/5
switchport access vlan 50
switchport trunk allowed vlan 10,20,30,40,350
switchport trunk native vlan 10
switchport mode trunk
interface Ethernet0/6
switchport trunk allowed vlan 10,20,30,40,350
switchport trunk native vlan 10
switchport mode trunk
interface Ethernet0/7
description WAP
switchport trunk allowed vlan 10,20,30,40,350
switchport trunk native vlan 10
switchport mode trunk
interface Vlan10
description LAN
nameif inside
security-level 100
ip address 10.10.254.1 255.255.0.0
interface Vlan20
description LAN
nameif inside20
security-level 100
ip address 10.20.254.1 255.255.0.0
interface Vlan30
description LAN
nameif inside30
security-level 100
ip address 10.30.254.1 255.255.0.0
interface Vlan40
description LAN
nameif inside40
security-level 100
ip address 10.40.254.1 255.255.0.0
interface Vlan350
description Guest LAN
nameif guest
security-level 50
ip address 10.3.50.254 255.255.255.0
interface Vlan900
description ISP Connection
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
boot system disk0:/asa825-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xyz.local
same-security-traffic permit intra-interface
access-list OUTSIDE-IN remark :
access-list OUTSIDE-IN remark : Allow OUTSIDE to inside
access-list OUTSIDE-IN remark :
access-list OUTSIDE-IN remark Allow ICMP Replies
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended permit icmp any any time-exceeded
access-list OUTSIDE-IN extended permit icmp any any unreachable
access-list NAT-0-INSIDE remark :
access-list NAT-0-INSIDE remark : Do not NAT this traffic
access-list NAT-0-INSIDE remark :
access-list NAT-0-INSIDE remark Allow LAN to VPN Users
access-list NAT-0-INSIDE extended permit ip 10.10.0.0 255.255.0.0 172.16.10.0 255.255.255.0
access-list NAT-0-INSIDE extended permit ip 10.20.0.0 255.255.0.0 172.16.10.0 255.255.255.0
access-list NAT-0-INSIDE extended permit ip 10.40.0.0 255.255.0.0 172.16.10.0 255.255.255.0
access-list NAT-0-INSIDE extended permit ip 10.30.0.0 255.255.0.0 172.16.10.0 255.255.255.0
access-list NAT-0-INSIDE extended permit ip 10.3.0.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list NAT-10-INSIDE remark :
access-list NAT-10-INSIDE remark : Allow LAN NAT
access-list NAT-10-INSIDE remark :
access-list NAT-10-INSIDE extended permit ip 10.0.0.0 255.0.0.0 any
access-list VPN-SPLIT-TUNNEL remark :
access-list VPN-SPLIT-TUNNEL remark : Add Routes for these networks to the VPN clients
access-list VPN-SPLIT-TUNNEL remark :
access-list VPN-SPLIT-TUNNEL extended permit ip 10.10.0.0 255.255.0.0 any
access-list VPN-SPLIT-TUNNEL extended permit ip 10.20.0.0 255.255.0.0 any
access-list VPN-SPLIT-TUNNEL extended permit ip 10.30.0.0 255.255.0.0 any
access-list VPN-SPLIT-TUNNEL extended permit ip 10.40.0.0 255.255.0.0 any
access-list VPN-SPLIT-TUNNEL extended permit ip 10.3.0.0 255.255.255.0 any
pager lines 40
logging enable
logging timestamp
logging buffer-size 16384
logging buffered debugging
logging trap informational
logging history errors
logging asdm informational
mtu inside 1500
mtu inside20 1500
mtu inside30 1500
mtu inside40 1500
mtu guest 1500
mtu outside 1500
ip local pool VPN-POOL 172.16.10.1-172.16.10.99 mask 255.255.255.0
ip audit name IDSATTACK attack action alarm drop reset
ip audit interface inside IDSATTACK
ip audit interface inside20 IDSATTACK
ip audit interface inside30 IDSATTACK
ip audit interface inside40 IDSATTACK
ip audit interface guest IDSATTACK
ip audit interface outside IDSATTACK
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any inside20
icmp permit any inside30
icmp permit any inside40
icmp permit any guest
icmp permit any outside
asdm image disk0:/asdm-649.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list NAT-0-INSIDE
nat (inside) 10 access-list NAT-10-INSIDE
nat (inside20) 0 access-list NAT-0-INSIDE
nat (inside20) 10 access-list NAT-10-INSIDE
nat (inside30) 0 access-list NAT-0-INSIDE
nat (inside30) 10 access-list NAT-10-INSIDE
nat (inside40) 0 access-list NAT-0-INSIDE
nat (inside40) 10 access-list NAT-10-INSIDE
nat (guest) 0 access-list NAT-0-INSIDE
nat (guest) 10 access-list NAT-10-INSIDE
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS-AUTH protocol radius
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication secure-http-client
http server enable 444
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
sysopt noproxyarp inside
sysopt noproxyarp inside20
sysopt noproxyarp inside30
sysopt noproxyarp inside40
crypto ipsec transform-set AES-256-SHA-ENCRYPT esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map VPN-DYN-MAP 1 set transform-set AES-256-SHA-ENCRYPT
crypto dynamic-map VPN-DYN-MAP 1 set security-association lifetime seconds 28800
crypto dynamic-map VPN-DYN-MAP 1 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE-MAP 65535 ipsec-isakmp dynamic VPN-DYN-MAP
crypto map OUTSIDE-MAP interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
console timeout 0
dhcpd ping_timeout 750
dhcpd address 10.10.1.1-10.10.1.99 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd domain xyz.local interface inside
dhcpd enable inside
dhcpd address 10.20.1.1-10.20.1.99 inside20
dhcpd dns 4.2.2.2 interface inside20
dhcpd enable inside20
dhcpd address 10.30.1.1-10.30.1.99 inside30
dhcpd dns 4.2.2.2 interface inside30
dhcpd enable inside30
dhcpd address 10.40.1.1-10.40.1.99 inside40
dhcpd dns 4.2.2.2 interface inside40
dhcpd enable inside40
dhcpd address 10.3.50.1-10.3.50.99 guest
dhcpd dns 4.2.2.2 interface guest
dhcpd enable guest
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tunnel-group-list enable
group-policy VPN-POLICY internal
group-policy VPN-POLICY attributes
vpn-simultaneous-logins 20
vpn-idle-timeout 3600
vpn-session-timeout 1440
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT-TUNNEL
default-domain value xyz.local
split-dns value xyz.local
tunnel-group secant type remote-access
tunnel-group secant general-attributes
address-pool VPN-POOL
authentication-server-group (outside) LOCAL
default-group-policy VPN-POLICY
tunnel-group secant ipsec-attributes
pre-shared-key *****
class-map INSPECTION-DEFAULT
description Complete Protocol Inspection List Class Map
match default-inspection-traffic
policy-map type inspect dns INSPECT-DNS-MAP
parameters
message-length maximum client auto
message-length maximum 4096
policy-map GLOBAL-INSPECTION-POLICY
description Global Inspection Policy
class INSPECTION-DEFAULT
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
inspect pptp
inspect ipsec-pass-thru
inspect icmp
inspect dns INSPECT-DNS-MAP
inspect ctiqbe
inspect dcerpc
inspect mgcp
inspect icmp error
inspect snmp
inspect waas
inspect h323 h225
inspect h323 ras
service-policy GLOBAL-INSPECTION-POLICY global
A5505-1# packet-tracer input inside icmp 10.10.253.1 1 1 172.16.10.1 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.10.1 255.255.255.255 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96adb20, priority=0, domain=inspect-ip-options, deny=true
hits=69511, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map INSPECTION-DEFAULT
description Complete Protocol Inspection List Class Map
match default-inspection-traffic
policy-map GLOBAL-INSPECTION-POLICY
description Global Inspection Policy
class INSPECTION-DEFAULT
inspect icmp
service-policy GLOBAL-INSPECTION-POLICY global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc510638, priority=70, domain=inspect-icmp, deny=false
hits=10388, user_data=0xcc510438, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc51dbb8, priority=70, domain=inspect-icmp-error, deny=false
hits=10388, user_data=0xcc51d9b8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc97e7e30, priority=12, domain=debug-icmp-trace, deny=false
hits=16500, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.10.0.0 255.255.0.0 outside 172.16.10.0 255.255.255.0
NAT exempt
translate_hits = 5, untranslate_hits = 796
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc97b1d40, priority=6, domain=nat-exempt, deny=false
hits=5, user_data=0xc9840640, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=10.10.0.0, mask=255.255.0.0, port=0
dst ip=172.16.10.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 access-list NAT-10-INSIDE
match ip inside 10.0.0.0 255.0.0.0 outside any
dynamic translation to pool 10 (x.x.x.x [Interface PAT])
translate_hits = 61470, untranslate_hits = 8513
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9950080, priority=2, domain=nat, deny=false
hits=61604, user_data=0xc994ffc0, cs_id=0x0, flags=0x0, protocol=0
src ip=10.0.0.0, mask=255.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 access-list NAT-10-INSIDE
match ip inside 10.0.0.0 255.0.0.0 inside any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc994d1e0, priority=2, domain=host, deny=false
hits=69627, user_data=0xc994cdc8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.0.0.0, mask=255.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc983d570, priority=70, domain=encrypt, deny=false
hits=777, user_data=0x4c2e4, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=172.16.10.1, mask=255.255.255.255, port=0, dscp=0x0
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 102356, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allowHi Alan,
Please make the following changes:
access-list VPN_SPLIT_ACL remark :
access-list VPN_SPLIT_ACL remark : Add Routes for these networks to the VPN clients
access-list VPN_SPLIT_ACL remark :
access-list VPN_SPLIT_ACL permit 10.10.0.0 255.255.0.0
access-list VPN_SPLIT_ACL permit 10.20.0.0 255.255.0.0
access-list VPN_SPLIT_ACL permit 10.30.0.0 255.255.0.0
access-list VPN_SPLIT_ACL permit 10.40.0.0 255.255.0.0
access-list VPN_SPLIT_ACL permit 10.3.0.0 255.255.255.0
group-policy VPN-POLICY attributes
split-tunnel-network-list value VPN_SPLIT_ACL
crypto isakmp nat-traversal 30
capture capin interface inside match ip 10.10.0.0 255.255.0.0 172.16.10.0 255.255.255.0
Then connect and try to ping any IP within the 10.10.0.0 /16 range.
Once done, issue:
show capture capin
HTH.
Portu.
Please rate any helpful posts -
I can not encrypt with AES 256 with JROCKIT *"jrockit-jdk1.6.0_22-R28.1.1-4.0.1"*
The "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" is only for the ex SUN JAVA or I can use it with JROCKIT too ?
Is there any (JCE) Unlimited Strength Jurisdiction Policy Files for Jrockit?
Any suggestions?
Thanks in advance
JordánYou could try it and see if it works. The files look like drop-in replacements for what comes distributed with JRockit - but you still need to verify it with a test.
Arshad Noor
StrongAuth, Inc.
P.S. One way or the other, do update this thread so future readers benefit from it. -
Encrypt and Decrypt Card Number using AES 256 algorithm
Dear All,
I have a table in Sql Server database. in that table storing
Card_Information. This information is secured so that need to encrypt that data in sql server table.
Can some one help on Encrypting and decryption process using AES 256 algorithm.
Regards, PraveenHello,
See MSDN Cryptographic Functions (Transact-SQL) for all available en-/decryption function in SQL Server.
Olaf Helper
[ Blog] [ Xing] [ MVP] -
AES 256 Revision 6 (PDF 2.0) Encryption
I am trying to implement decryption of AES 256 Revision 6 (PDF 2.0) as described in the ISO 32000-2 spec and having some success but getting some peculiar results that I cannot resolve and would appreciate some suggestions.
Using Acrobat X on a PC and encrypting using password encryption compatible with Acrobat X, I created a set of about 20 Acrobat X encrypted PDF tests. When I ran these through our implementation to decrypt as following ISO 32000-2 particularly Algorithms 2.A and 2.B most decrypted successfully and produced correct output. However a few failed either in the authentication phase or in the intermediate key computation stage, with the latter showing an error by an invalid decryption of the first stream of PDF encountered. Next I tried another set of different tests and also got a similar pass rate. Finally I took one unencrypted PDF test and chose the same security settings of compatible with Acrobat X, restrict editing, and printing, and allowed print and used the same password for 15 generated versions of this PDF test. 13 of these 15 resultant encrypted tests ran successfully with our implementation of the Revision 6 decryption algorithm. Two failed, with one failing a match on both user and owner key and the other failing computing the intermediate owner key.
In the past when we have implemented earlier Revision 5 256 AES, or even older compatibility versions it always was the case that you either had the software working or you didn’t. And the new PDF 2.0 2B algorithm with 64+ hashes and 64+ aes encryptions of data along with 16 byte mod 3 math computations leaves little room for error.
I believe that Acrobat when encrypting is choosing a random AES IV and all data including input /U /O /UE, and /OE strings differ. Even for the case described above of the same input test, same password, and same Acrobat encryption options. Thus the input into Algorithm 2-B will differ but the output should for authentication match the first 32 bytes of the O or U key or should result in a correct final result for intermediate owner or user key if the corresponding match occurred above.
However for the few exceptions that fail the above decryption it is not easy to determine what went wrong. Just about any change to the implementation of Algorithm 2.B breaks all working test cases instead of giving a clue as to what the issue is. The possible suspects are the new SHA-384 and SHA-512 and the encrypt code. We have used SHA-256 and the AES decrypt portion in earlier implementation of revision 5 and had no problems. The AES and hash code we are using is from Gladman1. I was wondering what others are using? It looks like Acrobat X is using RSA BSAFE Crypto – C2 at least for FIPS. Could Leonard or somebody else at Adobe tell me if this RSA software is also used in general with Acrobat X?
And I think that it would be very beneficial to have and publish a set of test vectors given input into algorithm 2.B along with correct intermediate results for each step. For each hash – including which method used per step show hash results, and also encryption step results, number of steps beyond 64 minimum, as well as final result. For the 80% of tests I have working I could produce this info. For those tests I cannot get working I would need help. Perhaps someone at Adobe or elsewhere who has had greater success than I have can help? I can provide input for the problematic tests either through this forum or privately at [email protected].
1) http://www.gladman.me.uk/
2) http://blogs.adobe.com/security/2011/05/update-fips-validation-certificates-for-acrobat-an d-reader-x.htmlI create a simple file called 256encrypt.pdf and encrypted with aes256
I am using "Algorithm 2.B: Computing a hash" from ISO32000-2 to verify the user password
user password: password
User string from the PDF test file : f4 65 f1 69 9a e2 ea 71 ba e7 6b 48 bb 12 8f 1f 18 74 e3 d3 e2 97 7e b8 d6 fe 9f 7f 86 b0 6d 89 c9 38 40 c5 64 dc 5a 32 04 4d 9c 6f 28 d2 98 d0
User string hash value: f4 65 f1 69 9a e2 ea 71 ba e7 6b 48 bb 12 8f 1f 18 74 e3 d3 e2 97 7e b8 d6 fe 9f 7f 86 b0 6d 89
User Validatiaon salt: c9 38 40 c5 64 dc 5a 32
User Key salt:04 4d 9c 6f 28 d2 98 d0
The input for the "Algorithm 2.B: Computing a hash" is as follows:
user Validation Salt: c9 38 40 c5 64 dc 5a 32
password: 70 61 73 73 77 6f 72 64 (password)
step 1: SHA256(password+user Validation Salt)
the result is K = 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
step 2: Make a new string K1 with 64 repetitions of the input password and K
K1= 70 61 73 73 77 6f 72 64 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
70 61 73 73 77 6f 72 64 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
70 61 73 73 77 6f 72 64 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
70 61 73 73 77 6f 72 64 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
Total 64 times , total length = 0xa00
step3: Encrypt K1 with AES_128(CBC)
AES_CBC_128_NOPADDING:
Key = 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee
IV = be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
K1 64 repeat of the 70 61 73 73 77 6f 72 64 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
Result : Total length is 0xa00. The beginning part of the E is
E =
47 df 2a 7f 90 8a c4 d9 f2 8b a0 f1 49 f0 8e 09 51 c4 a3 ce fd 28 48 f3 d7 c1 04 76 1b 6b 5b f2 6d 3d 2c 3f 03 26 76 06 d5 67 44 c8 2a b6
10 02 a5 8d a7 93 4f 94 02 b9 bf 93 b5 2d 17 82 02 3b f7 8e 8a 07 0f 18 ed 19 b3 ba 55 8b 14 b7 45 16 80 47 4f 6e c3 b6 20 d2 72 cd d1 46
2c d3 88 f7 c4 f7 e3 3a 04 3d 72 4f e0 d2 66 63 c4 9c 77 7c c5 53 fd 69 81 f6 3b 3d f5 8e b2 bd 66 4e 0f c6 1e 96 5e 91 e2 3d 60 5c 60 75
a3 13 49 58 85 e8 bb 37 93 91 4c 4f 79 a5 80 f2 13 be 44 22 aa e5 ee 6c 29 2c 76 50 a3 15 85 69 5e e9 c5 29 13 2a f6 67 51 8e 1e 7f 23 8a
90 a7 fe 93 c7 ff 45 ee 2a f0 c0 70 f1 78 2e 80 bd be 06 4f ad 69 4d 47 e6 3f ae e2 6a 76 ef 3e 56 8f 2d f5 c9 49 26 f3 7e 6e 61 8b 5e e6
e6 2d dd 76 cd 30 33 1d fe bf 11 60 ce 33 35 43 da b7 33 9b b9 6a 86 cd 35 a0 ca 84 99 0c ca 71 28 b3 01 b9 23 b4 a0 87 4e fb ff af b6 bd
step4:
The result of the first 16 bytes of E mod 3 is 1
step5:
Using SHA384 to get 48 bytes K
K = 29 de 28 c1 f0 17 c9 37 bd 93 97 e3 b5 51 b0 86 b9 0c 96 e0 77 28 87 1c 11 7b 41 ce 64 bf a8 7f f2 8b a2 7b 52 58 79 a9 63 c0 b2 31 f8 4e e4 6e
This is the end of round 1 and go back to step 2 using this new K
When round is equal or bigger than 64, check E[last byte], if E[last byte] > round -32, go back to step 2
The final round is 69. and the final result is
K = ab 7c c6 03 bc da 85 51 3f 3d 22 fb 58 8c 42 1d 45 67 55 92 9f 4f d2 41 b3 93 07 04 7d b1 30 6d
But this K does not match with the first 32 byte of the user string. -
Error in running encryption/decryption using DES in Websphere Dev't Client
Hello!
I have a code used to encrypt / decrypt a string (password). I have already tested it using Netbeans and it is working. But when I tried to add the java code to an existing web project using Websphere Development Client,, javax.crypto.* is not recognized. Then I imported JCE.jar.
The java code contains no errors then, but when I started to run the project, it gives an Error 500. And below is the Console's error message:
E SRVE0026E: [Servlet Error]-[javax.crypto.spec.PBEKeySpec: method <init>([C[BI)V not found]: java.lang.NoSuchMethodError: javax.crypto.spec.PBEKeySpec: method <init>([C[BI)V not found[/b]
Have I missed something to add? Or other things that I should do upon importing this jar file?
Please help.
Advance thanks for your reply.
misyelI dont know what version of Java that my Websphere's using. But I am very sure that it is outdated. I am using Websphere 5.0. For Netbeans, it is JDK1.5.
I imported the JCE from JDK 1.5 on Websphere.
I think the code works perfectly fine. Actually it was my friend's code for encryption but they are using Eclipse for development (almost the same from Websphere but somehow different from it.)
My idea is that I cant match the versions of the jarfiles used in my project. As much as I wanted to change the imported jar files, I couldn't for when I replaced the existing jar files, more and more errors occur.
can we have any alternative ways of importing the jar files? or is there any other code that might help that will not use the JCE.jar?
I really appreciate your response. thanks
misyel -
Packet Encryption/Decryption error
This error message is from a site-to-site VPN router. The whole error message is like:
Aug 11 00:37:22.725 Japan: %HW_VPN-1-HPRXERR: Virtual Private Network (VPN) Module0/13: Packet Encryption/Decryption error, status=4610
Aug 11 00:39:05.192 Japan: %HW_VPN-1-HPRXERR: Virtual Private Network (VPN) Module0/13: Packet Encryption/Decryption error, status=4610
Aug 11 00:39:53.961 Japan: %HW_VPN-1-HPRXERR: Virtual Private Network (VPN) Module0/13: Packet Encryption/Decryption error, status=4610
Aug 11 00:40:55.447 Japan: %HW_VPN-1-HPRXERR: Virtual Private Network (VPN) Module0/13: Packet Encryption/Decryption error, status=4610
Does anybody see/handle this type of error before ? The explaination in the CCO for this error message does not help much. What is the 'status=4610' ? I also see the status number can be 4612 and 4613.
I also noticed the "ah_auth_failure:" in "sh cry eng accelerator statistic " increase by one each time I got this error in the syslog
Thanks in advanceXuam,
what was the fix to your problem. I am getting exact same problem.
Alphonse -
Cisco CUBE supports AES-256 Encryption?
Hi guys,
Same as the title ,
does the cisco CUBE SBC functionality support AES-256 encryption for SRTP and TLS?
ThanksStandard is AES/128 this is by IEEE-802.11-2007 and this is what the WLC supports and AS most WLAN equipment.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin -
Acrobat (Reader) 8 not capable of opening AES-256 protected rights management PDF?
Is this really true?
Didn't find a datasheet explaining the Client-side requirements, when
AES-256-encrypting PDF documencs with LCRM.
In my lab it seems, as if Reader-9 can open those documents fine, while Reader-8 fails decrypting.
DilettantoAcrobat/Reader 9 were the first version to incorporate AES-256 code, so if you want to remain backwards compatible with Reader 7 or 8 you need to continue to use AES-128. I believe this is documented in the help for the section that describes how policy edit works.
Jonathan -
How to decrypt AES using a key
The example here will Generate the secret key specs first.
http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html
I already have a Decrypt Key used in my server application. How can I use that key to decrypt the msg sent from server?Hi
I wrote this code to check Java encryption with AES and a key. This worked fine for me. Please have a look.
Encrypt and decrypt using the DES private key algorithm
import java.security.*;
import javax.crypto.*;
import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class AESEncrypt {
public static void main (String[] args) throws Exception {
Security.addProvider(new BouncyCastleProvider());
byte[] plainText = "LOGIN=2222=v2-0-b7=SMST=smst=ASI".getBytes("utf-8");
// Get a DES private key
System.out.println( "\nAES key" );
String strKey = "75de8a33d3f18f1c29d86fa42b1894c7";
byte[] keyBytes = hexToBytes(strKey);
// skeyspec is the key to encrypt and decrypt
SecretKeySpec skeySpec = new SecretKeySpec(keyBytes, "AES");
System.out.println("Key: " + asHex(key.getEncoded()));
System.out.println( "Finish generating AES key" );
// Creates the DES Cipher object (specifying the algorithm, mode, and padding).
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS7Padding");
// Print the provider information
System.out.println( "\n" + cipher.getProvider().getInfo() );
System.out.println( "\nStart encryption" );
// Initializes the Cipher object.
cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
// Encrypt the plaintext using the public key
byte[] cipherText = cipher.doFinal(plainText);
System.out.println( "Finish encryption: cipherText: " + asHex(cipherText));
System.out.println( "\nStart decryption" );
// Initializes the Cipher object.
cipher.init(Cipher.DECRYPT_MODE, skeySpec);
// Decrypt the ciphertext using the same key
byte[] newPlainText = cipher.doFinal(cipherText);
System.out.println( "Finish decryption: " );
System.out.print( asHex(newPlainText) );
public static String asHex (byte buf[]) {
StringBuffer strbuf = new StringBuffer(buf.length * 2);
int i;
for (i = 0; i < buf.length; i++) {
if (((int) buf[i] & 0xff) < 0x10)
strbuf.append("0");
strbuf.append(Long.toString((int) buf[i] & 0xff, 16));
return strbuf.toString();
public static byte[] hexToBytes(char[] hex) {
int length = hex.length / 2;
byte[] raw = new byte[length];
for (int i = 0; i < length; i++) {
int high = Character.digit(hex[i * 2], 16);
int low = Character.digit(hex[i * 2 + 1], 16);
int value = (high << 4) | low;
if (value > 127) value -= 256;
raw[i] = (byte)value;
return raw;
public static byte[] hexToBytes(String hex) {
return hexToBytes(hex.toCharArray());
} -
AES-256 user home directory sparse image bundle in Lion?
Snow Leopard and previous had file vault to protect users' home directories as, I believe, AES-128-encrypted sparse image bundles. As I understand it now, under Lion, the options are to enable AES-128 whole disk encryption, or, if upgrading an existing snow leopard machine with a legacy file vault user account, to maintain that legacy file vault user home directory. However, under this second approach, additional users' home directories cannot be individually "file-vaulted" and instead, would require that legacy file vault be decrytped and then the entire disk be encrypted.
I am thinking that it would be advantageous from a security standpoint if an individual user home directory could remain encrypted, if that user were not actively logged in. Then, all contents would be inaccessible to other users, including administratively privileged users, and also that user's home directory would remain encrypted when the computer was turned on and booted up because as I understand it, file vault 2's real strength lies in protecting "data at rest" versus "data on a powered up and mounted file vault 2 volume".
To that end, I am wondering, regardless of whether file vault 2 is enabled or not, whether an existing user home directory and all of its contents be converted to an AES-256-encrypted sparse image bundle, using Disk Utility, and exist at the /Users directory space, mounting and decrypting "on the fly" from the login window at user login just like how a legacy file vault home directory is treated under snow leopard, independently of whether file vault 2 was enabled on the whole disk or not. This would also permit later addition/conversion of another "file vaulted" user account whether fle vault 2 were enabled or not.
To recap, an AES-256-encrypted sparse image bundle that would mount upon user login just like a legacy file vault user home directory does. Does anyone know if something like that is doable, and has that road already been travelled successfully? If so, I'd love to read a step-by-step, play-by-play, set of instructions on how to do just that.I think I got a solution worked out. I don't mind if things get installed in /opt as long as pacman tracks it, and I found ruby-enterprise-rmagick in the AUR as an orphan. I adopted it, updated it, installed it, and it's working great with my code.
-
Windows 8.1 Pro Bitlocker AES 256-bit cypher question
Hi, all
Have an odd situation I cannot make any sense of. I have a desktop PC running Windows 8.1 Pro. I launched gpedit.msc and changed Bitlocker’s cypher strength from the default AES 128-bit to AES 256-bit.
I then connected a brand new Western Digital 4TB external drive (model WDBFJK0040HBK-04) to the PC via USB 3.0, and Bitlocker-encrypted the drive. Opened a command prompt window as administrator, ran “manage-bde –status” for the drive in question,
which indicated the drive was encrypted with the 128 bit cypher strength, instead of 256 bits, as I had selected. Have unencrypted, rebooted and re-encrypted the drive time and again, always with the same results.
When connecting the same external 4TB drive to a Windows Server 2012 R2 Essentials in which I had made the exact same changes via gpedit.msc,
I can encrypt it with the 256-bit cypher strength, with no problems.
No TPM is used in either scenario, just a passphrase.
Anyone has any idea why my 256-bit setting is being ignored in the Windows 8.1 Pro machine?
Thanks
Arsene
ArseneLWell, running rsop.msc in my Server 2012 R2 machine does show my 256-bit bitlocker setting took, however, running rsop.msc in my Win 8.1 Pro machine shows it did not, which explains the problem I am having.
Now all I have to do is find out why my request is not taking, even though I am logged in as an admin.
Thanks!!
ArseneL -
Help for a newbie on encryption/decryption
I want to start with a text file.
Read in a line of ascii characters, encrypt it using some algorithm and output it as a new set of ascii characters.
What algorithm should I use?thanks a lot. I got the encryption/decryption working pretty easily.
However, I ran into problem when I got to storing keys:
I stored it fine with this code
try {
KeyGenerator keyGen = KeyGenerator.getInstance("DES");
desKey = keyGen.generateKey();
cipher = Cipher.getInstance("DES");
KeyStore keyStore = KeyStore.getInstance("JKS");
String password = "lemein";
char passwd[] = password.toCharArray();
keyStore.load(null, passwd); //initialize keyStore
Certificate[] chain = new Certificate[1];
String alias = "test";
keyStore.setKeyEntry(alias, desKey, passwd, null);
String fileName = "data/gkey.txt";
FileOutputStream f = new FileOutputStream(fileName);
keyStore.store(f, passwd); // <----------exception happens here
} catch (Exception e)
{ e.printStackTrace();
I got problem when I retrieve it with this code
KeyGenerator kg = null;
Key key = null;
cipher = null;
Security.addProvider(new com.sun.crypto.provider.SunJCE());
byte[] result = null;
try {
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream("data/gkey.txt"), "lemein".toCharArray());
key = keyStore.getKey("test", "lemein".toCharArray());
cipher = Cipher.getInstance("DES");
byte[] data = "Hello World!".getBytes();
System.out.println("Original data : " + new String(data));
cipher.init(Cipher.ENCRYPT_MODE, key);
result = cipher.doFinal(data);
System.out.println("Encrypted data: " + new String(result));
} catch (Exception e) {
e.printStackTrace();
I get the error:
java.security.UnrecoverableKeyException: DerInputStream.getLength(): lengthTag=75, too big.
at sun.security.provider.KeyProtector.recover(Unknown Source)
at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)
at java.security.KeyStore.getKey(Unknown Source)
Any idea what the problem is?
Thanks -
Encrypt/decrypt using update
Hi,
can someone give me an encrypt/decrypt pair of code samples that use the cipher.update() call.
i am trying it like that but apparently it doesn't work
byte[] temp = new byte[message.length/2];
byte[] temp2 = new byte[message.length/2];
System.arraycopy(message, 0, temp, 0, temp.length);
System.arraycopy(message, temp.length, temp2, 0, temp.length);
ciphertext = new byte[message.length];
System.arraycopy(symmetricCipher.update(temp), 0, ciphertext, 0, temp.length);
System.arraycopy(symmetricCipher.doFinal(temp2), 0, ciphertext, temp.length, temp.length);ode]
>
I don't see how using the inputstream i would avoid
the memory error, when passing anything over
10,000,000. Unless you mean I split the input, and
write small chunks into disk as I encrypt them?Your basic problem is that you have the data as one large array. I don't know how and why you created this large array; I would not to create it unless there was no other way.
Since it does not make sense to create one large encrypted byte array and given that you have a byte array then you can use either
1) Create a ByteArrayInputStream and wrap it in a CipherinputStream. This would allow you to encrypt the array in a sequential manner a few KBytes at a time.
or
2) Encrypt the array a few KBytes at a time using a simple update(array, start, length) that returns the encrypted bytes.
But first, I would try to avoid creating the large 'cleartext' array.
Maybe you are looking for
-
Issue with Purchase requisition
Hello SAP gurus, From ME53N I am not able to check the info-record. If I click on info-record from environment then system is throwing message u201CNo usable items exist for this selectionu201D. I checked source list and info-record is maintained, st
-
Best practices for making space on hard drive?
My relatively trusty ol' 466 mhz G4 is bogging down. I am showing 9.77 GB out of 28.6 capacity. I have the Adobe CS programs and do a lot of Photoshop work. I decided to clean house and dump as much stuff as I can, including the older programs (Adobe
-
I've had a few requests for Arch Linux t-shirts and the like. We don't really have a lot of graphics, so I threw the logo on some shirts/mugs/etc and put it up on cafepress. http://www.cafeshops.com/archlinux Also, if you have any graphics talent an
-
Download US Photoshop Elements 13 Student with German ID
My daughter is a German student, proved by a German student ID card, and wishes to obtain the Photoshop Elements 13/Premiere Elements 13 Student & Teacher bundle. The German edition is not yet available for another couple days, so we thought about ob
-
I need to keep changing USB ports
Lately I have noticed that USB attached peripherals simply stop working until I move them to a different port. Doesn't matter if it is a different port on a hub, or different port on the Mac Pro. In addition, doesn't seem to be device dependent.