Triple Des Pin Encryption

Hi,

I am very new to encryption and have a very little knowledge about Triple Des. I appreciate if you guys can help me. I hope i am not posting a question already repeated multiple time, in that case i apologise.

I am working on a project where we have to encrypt a pin using Triple Des with 3 different keys(48 hexadecimal digits) and have to then add the encrypted pin to an xml and send as a soap msg. I believe the three keys (k1, k2, k3) will be used for encrypt(k1)->decrypt(k2)->encrypt(k3). I have also been given a 16 hexadecimal digits as "Check Digits", not sure where it is supposed to be used.

Most of the examples i have seen have an encrypt and decrypt method and use CipherOutputStream to write the pin as byte into a file. But, as mentioned earlier i need to convert the final encryted pin to a string to add it to the xml. Is it safe to do that?

Could you please help me to understand how to do the 3des encryption with multiple keys and then convert the encrypted pin to string and add to the xml. I have gone thru the java ranch forum, but was able to understand the triple des concepts but still not sure how to implement it in my case

Thanks in advance for your help. I would appreciate if could help me provide some code samples or links.

Regards,
Sachin

Why are you using 3DES? DES is obsolete. While 3DES is technically acceptable, its much slower than AES. Just use AES.

There are implementations, google is your friend.

The standard setup is to do

ciphertext = e(k1,(d(k2,(e(k3, cleartext))));

The reason for this is that if you use the same key three times, you can trivially check your results, since e(k1,d(k1,clear) is obviously a no-op, you expect that

ciphertext = e(k1,(d(k2,(e(k3, cleartext)))) == e(k1, cleartext);

Thanks Pat for your reply.

After doing some research, i do agree that AES is much more efficient and faster than 3DES, but i have to use 3DES due to project requirements.

I am working on the sample code right now and will post it soon. I am able to write a encrypt and decrypt method, but still unclear about how i will use this method to achieve 3DES encryption with multiple keys.

Should i be doing this??

encryptedText1= encrypt(txt, key1)
decryptedText= decrypt(encryptedText1, key2)
finalEncryptedText= encrypt(decryptedText, key3)

Please advice. Thanks for your help.

- Sachin

Originally posted by Sachin Deokar:
After doing some research, i do agree that AES is much more efficient and faster than 3DES, but i have to use 3DES due to project requirements.

encryptedText1= encrypt(txt, key1)
decryptedText= decrypt(encryptedText1, key2)
finalEncryptedText= encrypt(decryptedText, key3)

since you have to do it for project requirements, whoever is requiring it should give you more detail. To have any chance of serious interoperability, you need test vectors.

Your pseudo code is fine. And you can self test by using the same key for all three parts.

Be careful about details, the ciphers are written to deal with unsigned octets, the closest thing in Java is a byte array. Do not use String objects, they will really make a mess, unicode and all that.

It may help to know that Sun calls 3DES "DESede". If you append your keys in the correct order into one 168-bit DESede key, you should be able to do the encryption in one step.

(Not that I've done this myself.)

Originally posted by Carey Evans:
Sun calls 3DES "DESede"

That's a useful name, for the e(d(e())) style.
There is also 3DES with just e(e(e())) but its not popular since it lacks the easy testing stuff that ede gives you.

Arguing whether eee or ede is stronger is left as an exercise to the student.

Should i be doing this?? encryptedText1= encrypt(txt, key1) decryptedText= decrypt(encryptedText1, key2) finalEncryptedText= encrypt(decryptedText, key3) Please advice. Thanks for your help.

no, you should not. It can work, but it is much more difficult and error-prone. As an earlier poster noted, you should a use DESede cipher instead. e.g. Cipher.getInstance("DESede"). Your lack of understanding of strings versus bytes suggests that you are going to get into trouble over this issue. Strings and byte arrays are not interchangeable without using a proper encoder/decoder, such as base 64 or base 16(hex).

Thank you guys for your help. I am still trying to do some more research to a get a good understanding of this. I will soon post the code here. Though i dont have much knowledge regarding encryption, but certainly working on this code has gotten me lot interested and i hope with your help i am able get to the end.

Thank you guys again for your feedback. This is the first time i am posting code on this forum, forgive me for any mistakes.

I did try to write some code copied below to handle triple des encryption using three different pins. My lack of understanding for bytes and triple des must be evident from my code, but i would greatly appreciate your comments and response to make this code work.


import java.io.IOException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.spec.InvalidKeySpecException; import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.DESedeKeySpec; public class EncryptTripleDes { private static byte[] encrypt(byte[] inpBytes, SecretKey key) throws Exception { Cipher cipher = Cipher.getInstance("DESede"); cipher.init(Cipher.ENCRYPT_MODE, key); return cipher.doFinal(inpBytes); } private static byte[] decrypt(byte[] inpBytes, SecretKey key) throws Exception { Cipher cipher = Cipher.getInstance("DESede"); cipher.init(Cipher.DECRYPT_MODE, key); return cipher.doFinal(inpBytes); } /** Read a TripleDES secret key from the specified file */ private static SecretKey readKey(String keyStr) throws IOException, NoSuchAlgorithmException, InvalidKeyException, InvalidKeySpecException { // Convert Key Str to bytes byte[] rawkey = new byte[1024]; rawkey = keyStr.getBytes("UTF-8"); // Convert the raw bytes to a secret key like this DESedeKeySpec keyspec = new DESedeKeySpec(rawkey); SecretKeyFactory keyfactory = SecretKeyFactory.getInstance("DESede"); SecretKey key = keyfactory.generateSecret(keyspec); return key; } public byte[] encryptPin(String pin) { byte[] pinBytes = pin.getBytes(); // pin = "1234567890123456"; byte[] encBytes= null; byte[] decBytes= null; byte[] encPin = null; try { SecretKey key1 = readKey("6194E4CD35B5E4342036D45258F7304BA37136BE90808912"); SecretKey key2 = readKey("23BCA1FB74D2C557506223336F5404CF36555ADD90808915"); SecretKey key3 = readKey("919EE5FB75B3E337406462648F5404BF37155BE908089138"); encBytes = encrypt(pinBytes, key1); decBytes = decrypt(encBytes, key2); encPin = encrypt(decBytes, key3); } catch (Exception e) { e.printStackTrace(); } return encPin; } }

Regards,
Sachin

I might have failed to mention earlier, this is not completely my original code, i did take some help from an online example, unfortunately lost the link to add as a reference.

I am getting a exception when i use three different keys, but it works if all 3 keys are same. Could you please help me to understand what i am doing wrong int the code i copied in my earlier post.

Here's the exception
javax.crypto.BadPaddingException: Given final block not properly padded at com.sun.crypto.provider.SunJCE_h.b(DashoA12275) at com.sun.crypto.provider.SunJCE_h.b(DashoA12275) at com.sun.crypto.provider.DESedeCipher.engineDoFinal(DashoA12275) at javax.crypto.Cipher.doFinal(DashoA12275)

The error means that the byte array passed in was not a multiple of 8 bytes long, which is all that DES and 3DES support. I don't know why you're getting it.

I think you need to check another couple of things, though. The "ede" in DESede means "encrypt, decrypt, encrypt", so the Sun code already does all the work of calling the DES cipher three times (thanks, Pat).

This would have failed because DES and DESede keys are different lengths, but I suspect you're converting "6194E4CD35B5E4342036D45258F7304BA37136BE90808912", etc. into keys incorrectly. This looks like a base-16 (hex) string, so you should be using something like Commons Codecs' Hex class to decode it before creating the key spec.

Because DESede combines two or three DES keys together, you should have just one key:byte[] keybytes = Hex.decode( ("6194E4CD35B5E4342036D45258F7304BA37136BE90808912" + "23BCA1FB74D2C557506223336F5404CF36555ADD90808915" + "919EE5FB75B3E337406462648F5404BF37155BE908089138").getBytes())

Originally posted by Carey Evans:
I suspect you're converting "6194E4CD35B5E4342036D45258F7304BA37136BE90808912", etc. into keys incorrectly.

That is my first guess anytime I see errors like this. I see that the code fragment posted upthread uses String. It is very easy to get all sorts of errors when you use Java String classes. The crypto code is really specified for arrays of octets (which are unsigned bytes). Java doesn't really have an unsigned byte data type, so you have to be very careful to get it right.

Crypto code is tricky. When it works, it takes cleartext and makes it look like garbage. When it doesn't work, it takes cleartext and makes it look like garbage. Its really hard to tell the two versions of garbage apart. Which is the point, since you don't want a bad guy (tm) to be able to process the garbage.

I think looking into padding and base64 encoding will help.
Aryan