Need some suggestions on encryption / decryption code and process
I am using the code below to provide file encryption of highly secure data on Sun servers. Below is strictly an example of my encryption / decryption algorithms stripped to the minimum and embedded in main(). The code works fine and performs as it should. Here are a few questions I have for our specific environment:
We have a requirement that a minimum of 2 key custodians be used to
know the passphrase (i.e. no one individual would know the enitre key - in this implementation, the 16 byte String used in enc_key. - I am planning on having two individuals supporting 64 bits of the passphrase - combined providing the 128 bits required for AES-128). Is there a better way of doing this? I know in Enterprise databases there tends to be multiple keys / master keys / certificates to implement this level of key management. I initially am trying to keep this as simple as possible, but without compromising security. The 128 bit passphrase is strictly stored in memory on our servers, and must be keyed in manually by each of the two key custodians (this can be done with the key custodians at different locations, and entering the keys at different times -- the full blown service does not start until each operator has provided their half). I am also supporting code methods that allow changing of the passphrase, and full re-encryption of the encrypted file storage area, real-time. Does anyone see in security flaws with this process - again, I know a key management package might simplify things, but this is the initial route we are going down. We just don't want to compromise security. Any feedback is appreciated.
import java.io.*;
import java.net.*;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.Cipher;
import java.security.Security;
import javax.crypto.spec.SecretKeySpec;
publicclass Enc1
{
publicstaticvoid main(String[] args)throws Exception
{
byte[] data ="this is a test !!!!!!!".getBytes();
SecretKeySpec enc_key =new SecretKeySpec("abcdefghijklmnop".getBytes(),"AES");
Cipher enc_cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
enc_cipher.init(Cipher.ENCRYPT_MODE, enc_key);
byte[] enc =newbyte[enc_cipher.getOutputSize(data.length)];
System.out.println(enc.length);
int size1 = enc_cipher.update(data, 0, data.length, enc, 0);
enc_cipher.doFinal(enc, size1);
SecretKeySpec dec_key =new SecretKeySpec("abcdefghijklmnop".getBytes(),"AES");
Cipher dec_cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
dec_cipher.init(Cipher.DECRYPT_MODE, dec_key);
byte[] dec =newbyte[dec_cipher.getOutputSize(enc.length)];
System.out.println(dec.length);
int size2 = dec_cipher.update(enc, 0, enc.length, dec, 0);
int size3 = dec_cipher.doFinal(dec, size2)
System.out.println(new String(enc));
System.out.println(enc.length);
System.out.println(new String(dec));
System.out.println(dec.length);
}
}
