Dear Sirs et Madames,
I am trying to create a Java application which takes a userID and then encrypts it. The code am using is just something I picked up off the net, I have NO experience with encryption. The problem is that even though the string to be encrypted should (and always will be) 10 characters long, the result is always 24 characters. Considering that the encrypted result will be transformed into a barcode, that creates a rather large barcode, unsuitable for my needs. Am sure there must be a way whereby I encrypt a 10 character string and get back a ten character encrypted version? The code I have is as below:

import java.io.IOException; import java.io.UnsupportedEncodingException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import javax.crypto.BadPaddingException; import javax.crypto.Cipher; import javax.crypto.IllegalBlockSizeException; import javax.crypto.NoSuchPaddingException; import javax.crypto.SecretKey; import javax.crypto.spec.SecretKeySpec; import sun.misc.BASE64Decoder; import sun.misc.BASE64Encoder; /** * * */ public class CryptoMessage { private SecretKey key; private void generateKey() throws NoSuchAlgorithmException { String keyString ="matako"; // I made this key up by the way! byte[] keyB = new byte[24]; // a Triple DES key is a byte[24] array for (int i = 0; i < keyString.length() && i < keyB.length; i++) { keyB[i] = (byte) keyString.charAt(i); } // Make the Key key = new SecretKeySpec(keyB, "DESede"); } private String encrypt(String message) throws IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, UnsupportedEncodingException { // Get a cipher object. Cipher cipher = Cipher.getInstance("DESede/ECB/PKCS5Padding"); cipher.init(Cipher.ENCRYPT_MODE, key); // Gets the raw bytes to encrypt, UTF8 is needed for // having a standard character set byte[] stringBytes = message.getBytes("UTF8"); // encrypt using the cypher byte[] raw = cipher.doFinal(stringBytes); // converts to base64 for easier display. BASE64Encoder encoder = new BASE64Encoder(); String base64 = encoder.encode(raw); return base64; } private String decrypt(String encrypted) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, IOException { // Get a cipher object. Cipher cipher = Cipher.getInstance("DESede/ECB/PKCS5Padding"); cipher.init(Cipher.DECRYPT_MODE, key); //decode the BASE64 coded message BASE64Decoder decoder = new BASE64Decoder(); byte[] raw = decoder.decodeBuffer(encrypted); //decode the message byte[] stringBytes = cipher.doFinal(raw); //converts the decoded message to a String String clear = new String(stringBytes, "UTF8"); return clear; } public CryptoMessage(String message) { try { System.out.println("clear message: " + message); if(key == null){ generateKey(); } System.out.println("key: " + key); String encrypted = encrypt(message); System.out.println("encrypted message: " + encrypted); String decrypted = decrypt(encrypted); System.out.println("decrypted message: " + decrypted); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (NoSuchPaddingException e) { e.printStackTrace(); } catch (InvalidKeyException e) { e.printStackTrace(); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } catch (IllegalBlockSizeException e) { e.printStackTrace(); } catch (BadPaddingException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } } /** * * @param args */ public static void main(String[] args) { new CryptoMessage("KIB2001002"); } }

From what I understand, a triple DES key has to be a 24 byte array. What are the alternatives so that the encrypted version I get back is of the same number of characters (or less, if possible) than the original text?

Also, I am not sure as to how well suited this solution is to my problem. Will different Java Virtual Machines produce different keys, meaning that multiple installations will not be able to reproduce the same encryption given the same keyString?

Is there a simpler solution, considering that the only thing I desire is that the USER_ID is obfuscated to the human eye (doctors, nurses, prying eyes cannot tell WHO these blood results belong to, only the system can). In which case is there not a simple(r) obfuscation algorithm I could use?



Thanks in advance,
Tumaini

For something as sensitive as medical data, onfiscation won't do - you must use encryption. Make sure you understand all the legal requirements of handling medical data.

Encryption algorithms work the same across JVMs. As long as you're using the same key, it should work on whichever JVM the code runs on.

Is there an actual problem with handling 24 characters? Since you're using base-64 on the result, it will always be longer than what you started with.

Lastly, Triple-DES has fallen out of favor as it's kind of dated. Consider using AES instead: http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html