[GitHub] [wicket] papegaaij edited a comment on pull request #462: WICKET-6864 updated crypt configuration

[GitBox <gi...@apache.org>]

papegaaij edited a comment on pull request #462:
URL: https://github.com/apache/wicket/pull/462#issuecomment-779200758


   I like the idea. The new implementation has one problem though: the IV must be random on every encryption step. Most importantly, you should never encrypt the same data twice with the same IV. You can think of the IV as a salt for your encryption. It ensures that the same data encrypts to different values every time. It is common practice to store the IV together with the ciphertext. The code we use in our application for AES256 is like this:
   
   ```java
   public byte[] encrypt(SecureRandom rnd, SecretKey key, byte[] plaintext) throws GeneralSecurityException {
       Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
       cipher.init(Cipher.ENCRYPT_MODE, key, rnd);
       AlgorithmParameters params = cipher.getParameters();
       byte[] iv = params.getParameterSpec(IvParameterSpec.class).getIV();
       byte[] ciphertext = cipher.doFinal(plaintext);
       return Bytes.concat(iv, ciphertext);
   }
   
   public byte[] decrypt(SecureRandom rnd, SecretKey key, byte[] cipherInput) throws GeneralSecurityException {
       byte[] iv = new byte[16];
       byte[] ciphertext = new byte[cipherInput.length - 16];
       System.arraycopy(cipherInput, 0, iv, 0, iv.length);
       System.arraycopy(cipherInput, 16, ciphertext, 0, ciphertext.length);
   
       Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
       cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv), rnd);
       return cipher.doFinal(ciphertext);
   }
   ```


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org