Encryption using gnu.crypto package

Similar Messages

• HMAC_SHA1 encryption using javax.crypto.MAC performance problems in SPARC

  Hi, I'm trying to implement a method to synchronize TOTP cards. In case the server clock and the card clock were different. So I generate a lot of TOTP keys in case to compare it with the real key so at the end I get both of the times in the server. That works in x86 (Sunfire x2200) perfectly and does not take a lot of time doing that (like 2 minutes generating 800000 keys). But when I test it on Oracle BM SPARC (T1000 LDOM 1.1) takes I lot of time. I did all kind of profiling stuff but all point to the method of the generation the TOTP in the HMAC_SHA1.
  here is the code (based on JBoss 6 OTP implementation)
  public synchronized static String generateTOTP(String key, String time,  int returnDigits, String crypto) throws GeneralSecurityException {
            String result = null;
            byte[] hash;
            // Using the counter
            // First 8 bytes are for the movingFactor
            // Complaint with base RFC 4226 (HOTP)
            while(time.length() < 16 ) {
                 time = "0" + time;
            // Get the HEX in a Byte[]
            byte[] msg = hexStr2Bytes(time);
            // Adding one byte to get the right conversion
            byte[] k = hexStr2Bytes(key);
            hash = hmac_sha1(crypto, k, msg);
            // put selected bytes into result int
            int offset = hash[hash.length - 1] & 0xf;
            int binary =
                 ((hash[offset] & 0x7f) << 24) |
                 ((hash[offset + 1] & 0xff) << 16) |
                 ((hash[offset + 2] & 0xff) << 8) |
                 (hash[offset + 3] & 0xff);
            int otp = binary % DIGITS_POWER[ returnDigits ];
            result = Integer.toString(otp);
            while (result.length() < returnDigits ) {
                 result = "0" + result;
            return result;
  private static byte[] hmac_sha1(String crypto, byte[] keyBytes, byte[] text) throws GeneralSecurityException {
            Mac hmac;
            hmac = Mac.getInstance(crypto);
            SecretKeySpec macKey = new SecretKeySpec(keyBytes, "RAW");
            hmac.init(macKey);
            return hmac.doFinal(text);
  }The release of the version to production is delayed about this. I need help either to use another library or finding the right configuration for the SPARC.
  Thanks in advance to everybody.
  danielfjb

  Well It is the only approach that I came up. It is supposed the code runs max. one time per user in production, that depends in the synchronization between the server clock and the OTP card clock.
  Basically the algorithm takes two consecutive keys (each 30 seconds the password changes) from the user, saving the time (server clock) for each one when the user clicks next. With both keys the server look up at what time (in server clock) the key has been generated. Performing a simple subtraction I can get the difference of times when the user generates the otp and when the server generates it.
  The algorithm simply look up five days ago, and five days further the same key each 30 simulated seconds, and reports the time when it founds an equal key. It's a brute force search, but in this case I really don't know how to do it differently.
  So the problem is in the type of server, because in the x86 runs the synchronization in 3 minutes or less, but in the SPARC takes 30 minutes or maybe more. It should be some native code that has problems with this implementation of javax.crypto.Mac
  Hope I do make my self clear
  Thank you

• Gnu-crypto PKCS7 NegativeArraySizeException

  Hi guys, i read a lot of topics in the forum, but i cant find something that
  could help me, so i post a topics. I hope somebody help me.
  Im trying to do a simple PKCS7 padding using gnu-crypto, but when
  a run the padding example that come with the distribution of gnu-cypto
  i got a NegativeArraySizeException. Thers's anybody here with the same error?
  If you can please help me, i read the gnu-cypto documentation, but i cant
  do the code run ok.
  When reaches padding.pad the exception is thrown... :(
  what am i doing wrong????
  <code>
  IPad padding = PadFactory.getInstance("PKCS7");
            byte[] input = inputString.getBytes("UTF8");
            byte[] pad = padding.pad(input, 0, input.length);
            byte[] pt = new byte[input.length + pad.length];
            byte[] ct = new byte[pt.length];
            byte[] cpt = new byte[pt.length];
            System.arraycopy(input, 0, pt, 0, input.length);
            System.arraycopy(pad, 0, pt, input.length, pad.length);
            int unpad = padding.unpad(cpt, 0, cpt.length);
            byte[] output = new byte[cpt.length - unpad];
            System.arraycopy(cpt, 0, output, 0, output.length);
            System.out.println("TEST " + input + " -- " + new String(output,"UTF8"));
  </code>
  <consoleOutput>
  java.lang.NegativeArraySizeException
       at gnu.crypto.pad.PKCS7.pad(PKCS7.java:113)
       at org.Test.padding(Test.java:131)
       at org.Test.main(Test.java:48)
  </consoleOutput>

  You have not published enough code. You have not published the error messages.

• Where is the crypto package?

  I have j2se 1.4 installed here and wanted to use the crypto package. But when i try to import it with
  import javax.crypto.*;
  i get a compilation error, saying package crypto is not defined.
  So i had a look to my harddisk and couldn't find the dir javax/crypto. There is a javax dir and some other dirs in it, but nothing like crypto.
  But in the api doc this package is listed, so it should be there. I'm absolutely sure i haven't deleted it.
  This get's me a little bit confused. Any idea what the proplem could be?

  - solved -

• How to find length of string after encryption using DBMS_CRYPTO package

  Hi,
  I am planning do data encryption using DBMS_CRYPTO package. I want to find how much will be string length after encryption.
  e.g When I try to encrypt string of length between 1-15 characters it gives me encrypted string of 32 characters. When I try with 16 charcters encrypted string is of 64 characters.
  Is ther any formula to calculate length of encrypted string?
  Thanks
  Pravin

  The length change is dependent upon the algorithm you are using which can be a combination of cipher block, padding, and chaining.
  The best solution is determine the method you are going to use and apply it to the l ongest possible strings you are going to proces, then add some safety margin. There iis no penalty for defining your column as VARCHAR2(4000).

• Can DBMS_CRYTO Package encrypt using a HMAC-SHA-1 Signature?

  Hello there,
  I'm trying to integrate Google Checkout (GC) into a friend's APEX-created website, running on a 10g Release 2 database (Express Edition).
  Google request that XML representing an order be encrypted using a HMAC-SHA-1 signature, which will consist of the GC Merchant ID.
  I'm very new to crptography in the Oracle Database, but had heard of the DBMS_CRYPTO Package. However, I could not identify a package constant representing the HMAC-SHA-1 signature. The closest I could come was HMAC-SH1. I don't think that's quite the same thing.
  Can anybody offer any assistance?
  Kind Regards.
  James

  What was wrong here was that the key was not a) converted from modified base64 and then b) not converted back to binary.
  This now generates the correct signing value
  set define off
  DECLARE
  l_key_src VARCHAR2(100) := 'vNIXE0xscrmjlyV-12Nj_BvUPaw=';
  l_key_b64 varchar2(100) := translate(l_key_src,'-_','+/');
  l_key_bin raw(2000);
  l_string VARCHAR2(100) := utl_url.escape('/maps/api/geocode/json?address=New+York&sensor=false&client=clientID');
  l_sig_mac RAW(2000);
  l_base64_sig_mac VARCHAR2(2000);
  l_base64_sig_mac_alter VARCHAR2(2000);
  BEGIN
  l_key_bin := utl_encode.base64_decode(UTL_I18N.string_to_raw(l_key_b64, 'AL32UTF8'));
  l_sig_mac :=DBMS_CRYPTO.mac(UTL_I18N.string_to_raw(l_string, 'AL32UTF8'), DBMS_CRYPTO.hmac_sh1,l_key_bin);
  l_base64_sig_mac := UTL_RAW.cast_to_varchar2(UTL_ENCODE.base64_encode(l_sig_mac));
  l_base64_sig_mac_alter := translate(l_base64_sig_mac,'+/','-_');
  DBMS_OUTPUT.put_line('MAC Signature (Base64-encoded): ' || l_base64_sig_mac);
  END;

• How can I encrypt(using PKI credential) a package/portfolio using Assembler Service

  Hi All,
  I have found a way to encrypt (using password credential) a package/
  portfolio using a DDX and calling invokeDDX service of Assembler
  Service. see the DDX snippet below
  How  can I do the PKI based encryption on the package. I couldn't find
  any DDX element for this.
  snippet:
  <?xml version="1.0" encoding="UTF-8"?>
    <DDX xmlns="http://ns.adobe.com/DDX/1.0/">
       <PDF result="GeneratedDocument.pdf" encryption="userProtect" >
          <PDF source="cover"/>
             <PackageFiles>
             <PDF source="attachments"/>
          </PackageFiles>
         </PDF>
        <PasswordEncryptionProfile name="userProtect">
                   <OpenPassword>abcd1234</OpenPassword>
       </PasswordEncryptionProfile>
    </DDX>
  Thanks
  greenday

  The documentation lists all the encyrption types:
  http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14258/d_crypto.htm#ARPLS664

• Problem when using javax.crypto.KeyGenerator in netbeans

  This is my IDE information:
  Product Version: NetBeans IDE 6.0.1 (Build 200801291616)
  Java: 1.6.0_03; Java HotSpot(TM) Client VM 1.6.0_03-b05
  System: Windows XP version 5.1 running on x86; Cp1252; en_US (nb)
  I am trying to develop a Test jar file. I created some simple jar files and could upload it in mobile.
  Now I want to implement some encryption. For that I started writing codes. But when trying to import javax.crypto.KeyGenerator class, netbeans is showing "cannot find symbol" error. I can use javax.crypto.Cipher/BadPaddingException/IllegalBlockSizeException/NoSuchPaddingException/spec/ShortBuffrException only. If i try to use any other class of javax.crypto, i get an error.
  I am new to mobility.I downloaded netbean mobility package and Installed it.
  Please provide some help.. thank you....

  This is my IDE information:
  Product Version: NetBeans IDE 6.0.1 (Build 200801291616)
  Java: 1.6.0_03; Java HotSpot(TM) Client VM 1.6.0_03-b05
  System: Windows XP version 5.1 running on x86; Cp1252; en_US (nb)
  I am trying to develop a Test jar file. I created some simple jar files and could upload it in mobile.
  Now I want to implement some encryption. For that I started writing codes. But when trying to import javax.crypto.KeyGenerator class, netbeans is showing "cannot find symbol" error. I can use javax.crypto.Cipher/BadPaddingException/IllegalBlockSizeException/NoSuchPaddingException/spec/ShortBuffrException only. If i try to use any other class of javax.crypto, i get an error.
  I am new to mobility.I downloaded netbean mobility package and Installed it.
  Please provide some help.. thank you....

• Legal trouble possible using javax.crypto?

  h4. The problem
  I'm currently doing an internship in france, where we need to use RSA encryption in our application as a part of our authentification.
  As we could possibly sell our application in all over the world and there seem to be complicate cryptological laws my question is:
  Can one possibly get into legal trouble for using the java encryption methods?
  I'm totally fine with using a relatively weak encryption (for exemple 512 Bit for RSA) and I do not need to change the policy files (as I understand it,
  the RSA keysize is not restricted by the standard policy files anyways) or do stronger encryption than this.
  I already found something to show that exporting an application like this is not a problem.
  If someone has a similar question, it can be found here: +[http://www.ssi.gouv.fr/fr/reglementation/regl_crypto.html]->Exportation et transfert de moyens de+
  cryptologie depuis la France->EXPORTATION VERS D'AUTRES &Eacute;TATS->"assurant exclusivement des fonctions d&rsquo;authentification ou de contr&ocirc;le d&rsquo;int&eacute;grit&eacute;"->LIBRE.
  But my problem is not the export OUT of france but the import INTO another country (like china or russia for example).
  As I am only a student, consulting a lawyer is not an option for me (too expensive).
  I've ready many documents who all state what is forbidden and allowed but they mostly talk about providing cryptography and not using it.
  So while logically it makes sense to say "if its not written there it must be allowed", I would like to have something concrete to show my company.
  Is there an easy to prove, logical argument for this?
  h4. Sources I've already consulted:
  *1. [The Wassenaar Arrangement|http://www.wassenaar.org/]*
  In [5.A.2.a.1.b.1.|http://www.wassenaar.org/controllists/2007/WA-LIST%20(07)%202%20Corr.%20word%20files/08%20-%20WA-LIST%20(07)%202%20Corr.%20-%20Cat%205P2.doc] it states it regulates "An "asymmetric algorithm" where the security of the algorithm is based on any of the following:
  1.     Factorisation of integers in excess of 512 bits (e.g., RSA);[...]"
  So while it says "hey, be careful with anything more than 512 Bits" it does not explicitly state (at least I did not find it) "anything with 512 Bits or
  less is totally unproblematic".
  The list of participating states is quite huge so this could help me a lot if I could prove that this is not a problem:
  The states are: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece,
  Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania,
  Russian Federation, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom,
  United States
  *2.[RSA Laboratories: What are the cryptographic policies of some countries?|http://www.rsa.com/rsalabs/node.asp?id=2333]*
  There is a table showing each state in a category from 1 - no restriction for cryptography to 5 - "cryptography is tightly controlled". Unfortunately not a
  great part of those countries are in category 1. Unfortunatly it does not seem to differentiate between providing cryptography and using it.
  *3. [Java &trade; Cryptography Architecture (JCA) Reference Guide|http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html]*
  It speaks about cryptographic restrictions that are in place and how you can lift them with special certificates and whatnot but it does not state that
  operating within those restrictions is legal inside every country.
  *4. [Bert-Jaap Koops homepage - Crypto Law Survey - Overview per country|http://rechten.uvt.nl/koops/cryptolaw/cls2.htm#co]*
  People's Republic of China
  Export/ import controls
  "+By State Council Order No. 273, "Commercial Use Password Management Regulations", published on 15 October 1999 and in effect since 7 October 1999, import and export of encryption products requires a license by the State Encryption Management Commission. According to a "clarification letter" sent to US+
  +businesses in China in early March 2000, this involves only hardware and software for which encryption and decoding operations are core functions. As a+
  +result, products in which cryptography is only built-in (such as mobile phones and browser software) are exempted. Moreover, the letter clarified that the+
  +regulations do not entail key escrow.+
  +However, the clarification letter only seems to apply to pre-2000 products. All products since 2000 seem to require a license.+"
  So does this mean that Java needs a license (which it probably has I hope) or our product which uses it does also need it?
  *5. Sun Developer Forums - Security - Cryptography*
  Search for keyword "legal": nothing which matches my problem found
  Search for keyword "import": nothing which matches my problem found within the first 13 pages
  Search for keyword "china": nothing which matches my problem found
  So, any backed up help will be greatly appreciated. Thanks!
  Edited by: kirdie on Jun 30, 2008 2:54 AM
  Edited by: kirdie on Jun 30, 2008 3:00 AM
  Edited by: kirdie on Jun 30, 2008 3:01 AM
  Edited by: kirdie on Jul 1, 2008 5:35 AM
  Edited by: kirdie on Jul 3, 2008 6:29 AM

  In my opinion you are only partly right, it's a legal question about software :-)
  And unfortunately I can not pay a lawyer with my student earnings.
  As this question is very broad (it concerns everyone who sells java software which utilises the crypto package) am very interested in how you cope with this problem.
  Do you ignore it? Use weak encryption only? Ask each state for a licence? Don't sell your product to certain countries?
  P.S: Or should i rather move the topic to "Other Security APIs, Tools, and Issues"?
  Edited by: kirdie on Jul 4, 2008 12:39 AM

• Using javax.crypto in oracle 10g

  Hi,
  I have a java stored procedure for oracle 10g (running jdk1.4) that
  uses the javax.crypto package and the bouncy castle provider for RSA
  decryption. Here is a snippet of the code in the procedure:
  Security.addProvider(new
  org.bouncycastle.jce.provider.BouncyCastleProvider());
  Cipher rsaCipher = Cipher.getInstance("RSA");
  RSAPrivateKey key = (RSAPrivateKey)
  MSPrivKeytoJKey.getPrivateKey(aKey);
  rsaCipher.init(Cipher.DECRYPT_MODE, key);
  rsaCipher.doFinal(encryptedByteArray);
  This works fine on my own machine running jdk1.4. However, when I load
  my stored procedure into the database and run it, I get the following
  exception after the line
  Cipher rsaCipher = Cipher.getInstance("RSA");
  tries to execute:
  java.security.NoSuchAlgorithmException: Cannot find any provider
  supporting RSA
  I have tried the following (based on information gathered from various
  forums):
  - ran
  loadjava -u username/pass@DB -v bcprov-jdk14-137.jar
  - added the following line to java.security
  security.provider.4=org.bouncycastle.jce.provider.BouncyCastleProvider
  but i still get the same error.
  I am reaching out desperately to all you experts for help :)
  Pouria

  Hi,
  Unfortunately, the Java VM only supports the basic JDK functionalities; you could try the Metalink Note 356123.1 which should work using BC library but this note only addresses AES.
  Furthermore, you need the following two extra permissions:
  exec dbms_java.grant_permission('SCOTT', 'SYS:java.security.SecurityPermission','putProviderProperty.BC', '' );
  exec dbms_java.grant_permission( 'SCOTT', 'SYS:java.security.SecurityPermission','insertProvider.BC', '' );
  Oboviously SCOTT would be changed to whichever schema you are using.
  Kuassi http://db360.blogspot.com

• Using SATSA-CRYPTO

  I'm using some calls to the SATSA Crypto package which work fine when run with an emulator and NetBeans, but which were getting a NoClassDefFoundError when run on an actual device.
  It appears that none of these classes are in my Midlet's jar file. I tried forcing them into the jar, but that got me a java.lang.Error, instead.
  When NetBeans runs an emulator, it apparently resolves this by having some extra jars that it searches. Is there a standard place on a device where such jars would normally go?
  Michael D. Spence
  Mockingbird Data Systems, Inc.

  Actually, I'm not using a smartcard. My phone claims to support SATSA, but there's some issue with the myriad exception classes not being defined in the phone. Of course, I can't define them because they're in java.* or javax.*. The emulator that comes with NetBeans doesn't have this problem.
  It appears that using the highest available level of obfuscation will often help in situations like these, because it hides the forbidden class names, so you can include them in the jar. In my particular case, this wasn't enough, so I switched to the bouncycastle library: http://www.bouncycastle.org. This works great with the emulator and my phone, and has more and better features than SATSA.

• Encryption using APEX

  Just wondering if anyone is aware of any examples that demonstrate how to use the WWV_CRYPT package?
  I'm interested in insert, update and select statements.
  Alternatively, can anyone point me in the direction of other suitable encryption methods that can be used within APEX? That will also be appreciated.
  Many thanks.
  James

  No problem.
  I think you are better off using the dbms_crypto package in your app. That's one less dependency on ApEx specific packages you have to worry about.
  I'm still guessing, due to the lack of hits performing a search, that wwv_crypt is used mainly for internal processing. Here are the direct dependencies:
  WWV_CRYPT                      PACKAGE BODY
  WWV_FLOW_SECURITY              PACKAGE BODY
  WWV_FLOW_USER_API              PACKAGE BODY
  WWV_FLOW_UTILITIES             PACKAGE BODY
  WWV_BIU_FND_USER               TRIGGER           and the package depends on:
  REFERENCED_OWNER               TYPE              REFERENCED_NAME
  PUBLIC                         PACKAGE BODY      DUAL
  SYS                            PACKAGE BODY      STANDARD
  SYS                            PACKAGE           STANDARD
  SYS                            PACKAGE BODY      DBMS_STANDARD
  PUBLIC                         PACKAGE BODY      UTL_RAW
  PUBLIC                         PACKAGE BODY      DBMS_LOB
  FLOWS_020200                   PACKAGE BODY      WWV_FLOW_LANG
  FLOWS_020200                   PACKAGE BODY      WWV_CRYPT
  FLOWS_020200                   PACKAGE BODY      UTL_RAW
  FLOWS_020200                   PACKAGE BODY      DUAL
  FLOWS_020200                   PACKAGE BODY      DBMS_LOBchet

• Triple DES CBC Encryption using an Initial Vector

  How can triple DES encryption in CBC be done using the javacard package and not javax?
  Will this do?
                 cipher3DESCBCDebSesKey1.init( key, Cipher.MODE_ENCRYPT, initVector, (short) 0, (short) 8);
                 cipher3DESCBCDebSesKey1.doFinal( input, (short) 0, (short) 16, SesKey, (short) 0 );
  After all the initialization, will the doFinal already give me the result of triple DES using CBC? or do I have to init* and doFinal* three times?
  Also, I used the no pad setting for this one.
  cipher3DESCBCDebSesKey1 = Cipher.getInstance( Cipher.ALG_DES_CBC_NOPAD, false );

  The fact that only the first block is corrupt is indicative that I you are not using the same IV on both sides. This is confirmed by your PHP code that seems to generate a random IV so your chance of getting the same IV on both sides is just about zero.

• Regarding javax.crypto package?

  Hey,do we get this package as default one.
  Or do we have to get it separately?
  if we have to get it separately ..pls tell me where can we get it?
  thanks a lot
  hari

  Hi hari7bp,
  try the following link to see the api for j2se 1.4.1:
  http://java.sun.com/j2se/1.4.1/docs/api/
  There you will see, that the javax.crypto package has been integrated into this version. You don't have to download it! Make sure your compiler reaches the jar jce.jar which should be located in your <JAVA>/JRE/lib dir.
  The only thing you might want to download in the future is the package for unlimited encryption strenght (right now you should have the so-called strong strenght). But this is not necessary to make the encryption work!
  So, check your path, buddy.
  Good luck,
  Sebastian
  btw: I told you, the packages had been renamed while integrating jce-that's not true, they kept their old names, sorry for that ;-(

• How to use two different packages which in  different directories?

  In my progrom, I'm using two differnet packages that in two different directories, but if I use classpath , the program can only be in one environment, so what can I do?

  or you set your classpath to the first common dir they have, and specify the packages from that dir on...
  or you just simply copy (you don't have to move it) the one package together with the other package...
  by the way you can add multiple paths to your classpath...
  between the paths you specify a ";"
  if i'm not mistaken...
  SeJo