Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is this AES encryption secure enough?

I got this code from http://www.ravenblast.com/index.php/blog/android-password-text-encryption/ and, although it works, I have a growing suspicion it's not secure enough. There isn't any initialization vector which seems to be necessary according other sources.

public static String encrypt(String toEncrypt, byte[ ] key) throws Exception {
    SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
    Cipher cipher = Cipher.getInstance("AES");
    cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
    byte[ ] encryptedBytes = cipher.doFinal(toEncrypt.getBytes());
    String encrypted = Base64.encodeBytes(encryptedBytes);
    return encrypted;
}

public static String decrypt(String encryptedText, byte[ ] key) throws Exception {
    SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
    Cipher cipher = Cipher.getInstance("AES");
    cipher.init(Cipher.DECRYPT_MODE, skeySpec);
    byte[] toDecrypt = Base64.decode(encryptedText);
    byte[] encrypted = cipher.doFinal(toDecrypt);
    return new String(encrypted);
}
like image 430
user2083242 Avatar asked Feb 18 '13 12:02

user2083242


People also ask

Is AES secure enough?

AES 256 is virtually impenetrable using brute-force methods. While a 56-bit DES key can be cracked in less than a day, AES would take billions of years to break using current computing technology. Hackers would be foolish to even attempt this type of attack. Nevertheless, no encryption system is entirely secure.

Is AES encryption still secure?

AES has never been cracked yet and is safe against any brute force attacks contrary to belief and arguments. However, the key size used for encryption should always be large enough that it could not be cracked by modern computers despite considering advancements in processor speeds based on Moore's law.

Is AES 256 still secure in 2021?

AES-256 is definitely secure for file storage. The only weakness is the key that you choose. As long as you choose a strong key for it, AES-256 will keep your files safe. According to this Wikipedia page, the best attack on AES was published in 2011 and to break AES-256, it still required 2^254.4 operations.


1 Answers

Yes, it's not very secure. There is no IV because there is no block chaining.

The AES algorithm can only encrypt blocks of 128 bytes, no matter the size of the key (it is unrelated). How those blocks are chained together is another problem. The simplest approach is to encrypt each block separately from the others (ECB mode), like they were separate messages. The Wikipedia article I linked tells you when and why this is not secure, and other methods (namely, CBC mode) are preferred.

When you do Cipher cipher = Cipher.getInstance("AES"); you are given an AES cipher in ECB mode. There is no immediate danger, but if your messages have recurring patterns this can lead to situations like the following:

Original: enter image description here Encrypted: encrypted

like image 61
gd1 Avatar answered Oct 02 '22 23:10

gd1