Stephan van Hulst wrote:There's no real point to using password based encryption if no password is being entered by a user. PooledPBEStringEncryptor internally uses an algorithm that follows the PKCS #5 RFC, which contains recommendations for encrypting data using passwords, such as making the encryption process more expensive than it could be when the encryption key is only present on the server. I took a quick look at Jasypt and it appears they only support password based encryption. I recommend dropping it and just using the standard API's Cipher class.
If your Java and PHP applications will be running on the same server, you can just generate an AES key once and store it in a file that is accessible by both applications. There might be an easy way to read a Java KeyStore file in PHP, but if not then you can easily just write your own format. I believe openssl_decrypt accepts a Base64 encoded key, so if you store the key using a custom file format, the format could just be the encryption key as Base64.
The salt must not be hard-coded, and it must not be a fixed value. Java's Cipher class will automatically generate an initialization vector (IV, another name for salt). You can get the IV from the cipher when you encrypt and then either add it to the front of the encrypted message or store it in a separate column in your table. To decrypt it in PHP, cut the IV from the front of the encrypted message or retrieve it from the table and use it for the salt parameter of the openssl_decrypt function.
Which encryption algorithm to use strongly depends on what you're going to do with the encrypted message afterwards. If the database that you store the encrypted message in will always be located on the same machine as the two applications, then you can use unauthenticated encryption, such as "AES-256-CBC" ("AES/CBC/PKCS5Padding" in Java). If the database can be on an untrusted machine, or accessed through an untrusted network, or if the encrypted message are otherwise accessible by untrusted applications, then you must use authenticated encryption. A good default algorithm to use is "AES-256-GCM" ("AES/GCM/PKCS5Padding" in Java).
Castiel Snow wrote:1) The java part is desktop app that runs in multiple nodes. Does that Cipher solution still applies?
2) The database is in the cloud, always in the same place, but the java desktop APP isnt. The php file isnt on the same server either.
Hmm, if possible, could you post some small snippet code to point me to the right direction?
PS: I should have picked a crypto course on my masters'degree. I regret it so much rn.
Castiel Snow wrote:1- In the same database but in a different schema. What happens is that, depending on the user login, it points to a different schema.
2- The admin is just another java app that encrypts the information and stores it there.
3- The admin app just run in my machine.
4- Because since im a solo dev, I dont have time to implement a web service to be the middleware.