Bouncy Castle's Password Based Encryption With AES in CBC mode

Question

I've recently came across a piece of code that uses BouncyCastle's PBE with AES in CBC mode ("PBEWithSHA1And256BitAES-CBC-BC").

public static final String ALGORITHM = "PBEWithSHA1And256BitAES-CBC-BC";

public static byte[] encrypt(final byte[] key, final byte[] salt, final byte[] plainText) throws CryptoException {
    try {
        // Create the encryption key
        final SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(ALGORITHM, "BC");
        final PBEKeySpec keySpec = new PBEKeySpec(new String(key).toCharArray());
        final SecretKey secretKey = keyFactory.generateSecret(keySpec);

        // Encrypt the plain text
        final PBEParameterSpec cipherSpec = new PBEParameterSpec(salt, ITERATIONS);
        final Cipher cipher = Cipher.getInstance(ALGORITHM, "BC");
        cipher.init(Cipher.ENCRYPT_MODE, secretKey, cipherSpec);
        final byte[] encryptedBytes = cipher.doFinal(plainText);

        return encryptedBytes;

    } catch (final Throwable t) {
        throw new CryptoException(t.toString());
    }
}

As you can see, this code doesn't specify a proper IV to execute the AES CBC encryption.

I don't know how to specify the salt, number of iterations and the IV to be used to the cipher.

How should I do that?

Thank you.

Answer 1

You can use jasypt (java simple encryption) PBEWithSHA1And256BitAES-CBC-BC

the sample code is shown as below:

StandardPBEStringEncryptor myFirstEncryptor = new StandardPBEStringEncryptor();                                                                                                      
myFirstEncryptor.setProvider(new BouncyCastleProvider());                                                                                                    

myFirstEncryptor.setAlgorithm("PBEWITHSHA256AND256BITAES-CBC-BC");                                                                                         




FixedStringSaltGenerator generator = new FixedStringSaltGenerator();                                                                                         
generator.setSalt("justAnotherSaltforGX");
//myFirstEncryptor.setSaltGenerator(new ZeroSaltGenerator());                                                                                                    

myFirstEncryptor.setSaltGenerator(generator);                                                                                                                    

myFirstEncryptor.setKeyObtentionIterations(1);                                                                                                               
String myPassword="creditCard";                                                                                                                              
myFirstEncryptor.setPassword(myPassword);                                                                                                                    


String myText="Redeem Gacha ";                                                                                                         
String myFirstEncryptedText = myFirstEncryptor.encrypt(myText);                                                                                              

System.out.println("myFirstEncryptedText AES encrypt=="+myFirstEncryptedText);                                                                               

System.out.println("myFirstEncryptedText AES decrypt =="+myFirstEncryptor.decrypt(myFirstEncryptedText));

Answer 2

Using Jasypt and BouncyCastle 1.51 (SpongyCastle), I could have used of the following

Algorithm: PBEWITHSHAAND128BITAES-CBC-BC
Algorithm: PBEWITHSHAAND192BITAES-CBC-BC
Algorithm: PBEWITHSHAAND256BITAES-CBC-BC
Algorithm: PBEWITHSHA256AND128BITAES-CBC-BC
Algorithm: PBEWITHSHA256AND192BITAES-CBC-BC
Algorithm: PBEWITHSHA256AND256BITAES-CBC-BC
Algorithm: PBEWITHMD5AND128BITAES-CBC-OPENSSL
Algorithm: PBEWITHMD5AND192BITAES-CBC-OPENSSL
Algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
Algorithm: PBEWITHMD5AND128BITAES-CBC-OPENSSL
Algorithm: PBEWITHMD5AND192BITAES-CBC-OPENSSL
Algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
Algorithm: PBEWITHSHAAND128BITAES-CBC-BC
Algorithm: PBEWITHSHAAND192BITAES-CBC-BC
Algorithm: PBEWITHSHAAND256BITAES-CBC-BC
Algorithm: PBEWITHSHA256AND128BITAES-CBC-BC
Algorithm: PBEWITHSHA256AND192BITAES-CBC-BC
Algorithm: PBEWITHSHA256AND256BITAES-CBC-BC

And this way it was quite easy

    StandardPBEByteEncryptor strongBinaryEncryptor = new StandardPBEByteEncryptor();
    strongBinaryEncryptor.setAlgorithm("PBEWITHSHAAND192BITAES-CBC-BC");
    strongBinaryEncryptor.setKeyObtentionIterations(1000);
    strongBinaryEncryptor.setProviderName(BouncyCastleProvider.PROVIDER_NAME);
    strongBinaryEncryptor.setPassword(password);

    byte[] encryptedBytes = strongBinaryEncryptor.encrypt(password);

You can set SaltGenerator too.

Answer 3

I think that if you want to use an IV, you will need to generate a random key and encrypt it at the spot where you now encrypt the plain text. You can then use that to encrypt the data, using IvParameterSpec to specify the IV. Of course, you do need to store the encrypted key and the IV next to the data that you have encrypted. This is only required if you encrypt more than one plaintext with the same key though.