Database encryption using self-defined key

I am new to encryption, and have a big puzzle: I want to encrypt a password into a database using a self-defined key (so I can avoid storing it in a file for later decryption use). I can't seem to find an example of a class that doesn't create a key for me (remember, I already have my own key). I know that this isn't the most secure way to do things, but it's a short-term solution until I have more time to do the job right.

Welcome to JavaRanch.

A key is just a byte[]; you can hardcode the array values in the Java code. See this for an example (the code is about web services encryption; it's just to show how to hardcode a byte[]).

@Ulf is correct.

You will need to store the key somewhere. To use it in a Java program, you have to get it into the program. This can be from a file, hardcoded in the program source, in a property, etc. but you must have the key.

You could, in theory, ask the user for the key, but that really is bad from a human usage point of view.

I fully agree with Ulf and have already created a hardcoded key using byte[]. Per Pat, I don't plan to ask the user for a key, and neither do I plan to store a key (since it's hardcoded).

So what am I trying to do? Below is an implementation similar to the one I'm attempting... the critical question is how to use the SAME key (i.e., keyBytes or something else) to call in m_cipher.init()? Note that the TODO label is the location where the key is newly GENERATED everytime- something I do NOT want to do. This is because the data encrypted in the database may have used a different GENERATED key (I want a hardcoded key, not a GENERATED key). Any help would be appreciated:

=====================================================

private static Cipher m_cipher = null;
private static SecretKeySpec m_keySpec = null;

private static void initEncryption() throws Exception {
final byte[] keyBytes = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16};
//TODO: how can I use a hardcoded (not GENERATED) key each time?
m_keySpec = new SecretKeySpec(keyBytes, "AES");
System.out.println("Key: " + asHex(m_keySpec.getEncoded()));
m_cipher = Cipher.getInstance(m_keySpec.getAlgorithm());
}

public static String decryptString(String encrypted) throws Exception {
System.out.println("decryptString- input text: " + encrypted);
byte[] input = encrypted.getBytes();
String decryptedText = null;
byte[] decryptedByte = null;

m_cipher.init(Cipher.DECRYPT_MODE, m_keySpec);
decryptedByte = m_cipher.doFinal(input);

decryptedText = new String(decryptedByte);
System.out.println("decrypted text: " + decryptedText);

return decryptedText;
}

public static String encryptString(String decrypted) throws Exception {
System.out.println("encryptString- input text: " + decrypted);
byte[] input = decrypted.getBytes();
String encryptedText = null;
byte[] encryptedByte = null;

m_cipher.init(Cipher.ENCRYPT_MODE, m_keySpec);
encryptedByte = m_cipher.doFinal(input);

encryptedText = new String(encryptedByte);
System.out.println("encrypted text: " + encryptedText);

return encryptedText;
}

private static final byte[] keyBytes = {0x34, 0xc1, 0xff...}; m_keySpec = new SecretKeySpec(keyBytes, "AES");

where you fill in your bytes into the array. Its easy.

encryptedText = new String(encryptedByte);

This will lead to tears. String should not be used as containers for binary data as for many character encodings it is not reversible. If you have to have a String version, and most of the time one does not, then you should Base64 or Hex encode the bytes of the ciphertext.

I guess I'm not being clear...

final byte[] keyBytes = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}; //TODO: how can I use a hardcoded (not GENERATED) key each time? m_keySpec = new SecretKeySpec(keyBytes, "AES"); System.out.println("Key: " + asHex(m_keySpec.getEncoded()));

The "key material of the secret key" printed out from m_keySpec.getEncoded() is different each time I startup this application. Is this because each time the SecretKeySpec() constructor is called, it generates new key material? This secret key is used via the m_cipher.init(<whatever mode>, m_keySpec) call, and the subsequent encrypt-into-database/decrypt-from-database results differ each time I start up this application (defeating the whole purpose behind encrypting).

So... do I need to save somewhere the SecretKeySpec data instead of using a hardcoded (or generated) key?

SecretKeySpec doesn't change the bytes you give it, and even clones the byte array to ensure that it isn't modified externally; see SecretKeySpec.java. I'm afraid I don't see how that code snippet could return different bytes each time.

The code below works for me, with a new SecretKeySpec each time:final MessageDigest md = MessageDigest.getInstance("MD5"); final byte[] digest = md.digest("password".getBytes()); final ByteArrayOutputStream out = new ByteArrayOutputStream(); final SecretKey encKey = new SecretKeySpec(digest, "AES"); final Cipher enc = Cipher.getInstance("AES/CBC/PKCS5Padding"); enc.init(Cipher.ENCRYPT_MODE, encKey); out.write(enc.getIV()); out.write(enc.doFinal("secret".getBytes())); out.close(); final byte[] in = out.toByteArray(); final SecretKey decKey = new SecretKeySpec(digest, "AES"); final Cipher dec = Cipher.getInstance("AES/CBC/PKCS5Padding"); dec.init(Cipher.DECRYPT_MODE, decKey, new IvParameterSpec(in, 0, 16)); final byte[] plain = dec.doFinal(in, 16, in.length - 16); System.out.println(new String(plain));

Originally posted by James Sabre:
encryptedText = new String(encryptedByte);

This will lead to tears. String should not be used as containers for binary data as for many character encodings it is not reversible. If you have to have a String version, and most of the time one does not, then you should Base64 or Hex encode the bytes of the ciphertext.

Whoops! Didn't see this entry until now... and I think this is my problem. Thanks for the heads up!