• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

exchanging encrypted values as request parameters.

 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I've used old-existing code in our project to encrypt and decrypt over http (encrypted value is being sent as a request parameter)

Then, I came to know that we are not supposed to use 'sun.misc.BASE64Encoder'. In addition, the whole operation failed due to encoding/decoding stuff by browser/container.

Please let me know, if there is any API that gives us standard encryption/decryption stuff which can be used over web, and with out being worried about 'encoding'. [which means no +, etc.. characters in the result of encrypted value]

Note:
1) Please don't rush, I used both encryption and encoding in my post

2) My encrypted values were damaged when sent as request parameters due to the presence of '+' symbol in encrypted value.

Please help.
 
Rob Spoor
Sheriff
Pie
Posts: 20661
65
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
URLEncoder and URLDecoder can be used to encode / decode (better terms than encrypting / decrypting) values for use in URLs. URLEncoder will turn spaces into +, and do all other necessary escaping like %2B instead of a +. URLDecoder will do it the other way around.
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for tour attention Rob.

I am afraid, you've got it wrong. I was referring to Encryption and decryption to exchange sensitive values from server to user, and vice versa as request parameters.

The problem I've got is- when I use 'sun.misc.BASE64Encoder', I get an encrypted value something like ' uD2+reYclBs=' which contains + symbol and it needs to be encoded while I exchange it from the user. It's becoming a bit complex, and also, I should not be using sun.xyz classes.

So, I am wondering whether there is any other API which follows web-standards, so that the encrypted values will not be damaged by container. (I was a victim of - replacing + symbol by space by container)

Thanks.
 
Rob Spoor
Sheriff
Pie
Posts: 20661
65
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Looks like you need a combination of encryption* and encoding / decoding. So first you encrypt*, then you encode that. At the other end, first you decode, then you decrypt.

* 1) you can use Apache Commons Codec for a different base64 encoder / decoder, and 2) base64 is actually very bad encryption. The algorithm is well known, and it does not involve any keys or secrets. Anyone who can monitor your traffic can easily "decrypt" the data.
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you Rob.

I will explore Apache Commons codec.

- Yeah, I need a combination of encryption and encoding, and thread going on - Here

- If am correct, the container is damaging the encrypted value received (in the form of request param), since there is a clash between standards. (usage of + sign in 'encrypted value' where it should be used during encoding).

- So, I think it's better to make sure that is there any encryption technique which complies with the standards of web-containers so that they won't damage the same.

Any idea?
 
Rob Spoor
Sheriff
Pie
Posts: 20661
65
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Didn't I already give you a solution? The encrypted value contains characters that are treated specially by the HTTP protocol. The URL encoding transforms these characters into something HTTP allows.
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have keenly explored the existing code, I must mention one thing.

- Encryption is being done by Cipher and the encrypted value is then encoded by using 'sun.misc.BASE64Encoder'. I was confused here.

- Rob, you mentioned that I may URLEncoder instead. Now, I understand why you were specifying it.

- Now, the problem I've got is, this 'encrypted & encoded' value is being decoded at one stage. I must avoid it.

- So, is there any encoding technique which makes it impossible for any url-decoders (container, etc) to decode the text. But, it should be possible to exchange the values using request parameters.
 
Rob Spoor
Sheriff
Pie
Posts: 20661
65
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You don't need to worry about other people decoding your message. It's still encrypted.

The sending part involves 3 steps:
- encrypting the data.
- converting the encrypted data into base64.
- encoding the base64 data so it can be sent.

The receiving part involves the inverted steps:
- decoding the request data back into base64; anyone can do this.
- convert the base64 back into the encrypted data; anyone can do this.
- decrypting the encrypted data; and this is where your security lies. They need your key(s) to be able to decrypt the data. Unless they break your encryption, but that should be quite hard if you don't choose a too weak encryption algorithm.

Let them get the encrypted data for all you care. They can't do much with it.
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you very much Rob, Now, everything is clear.

A bit digressed question.

-> I am just wondering which 'encoding' technique is used for jsessionid. It contains only alphabetics and numbers, but no special characters. That (similar) kind seems to be a perfect match for my situation which results in no special character presence.

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic