update SessionEncryption to use IAIK JCE and salt for encryption

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-01-31 08:42:39 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-01-31 08:42:39 +0100
commit: 9e75e06b799e2baeae88a9e4b0e16acf0e292965 (patch)
tree: d205ff7b71a70b3e8672fd8acd97107013eaa7a9 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
parent: d4a8d57e4cd10fc7e427f936983ae7c28aa6eab2 (diff)
download: moa-id-spss-9e75e06b799e2baeae88a9e4b0e16acf0e292965.tar.gz
moa-id-spss-9e75e06b799e2baeae88a9e4b0e16acf0e292965.tar.bz2
moa-id-spss-9e75e06b799e2baeae88a9e4b0e16acf0e292965.zip
1 files changed, 46 insertions, 16 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
index 4b7e46ce7..acc2a7273 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
@@ -22,34 +22,58 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.util;
 
+import iaik.security.cipher.PBEKey;
+import iaik.security.spec.PBEKeyAndParameterSpec;
+
+import java.security.SecureRandom;
 import java.security.spec.KeySpec;
 
 import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.PBEKeySpec;
 import javax.crypto.spec.SecretKeySpec;
 
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.data.EncryptedData;
 import at.gv.egovernment.moa.logging.Logger;
 
 public class SessionEncrytionUtil {
 
-	static SecretKey secret = null;
-
+	private static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
+	private static final String KEYNAME = "AES";
+	
+	static private SecretKey secret = null;
+	
 	static {
 		try {
 			String key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey();
 			
 			if (key != null) {
-				SecretKeyFactory factory;
 
-					factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
-					KeySpec spec = new PBEKeySpec(key.toCharArray(), "TestSALT".getBytes(), 1024, 128);
-					SecretKey tmp = factory.generateSecret(spec);
-					secret = new SecretKeySpec(tmp.getEncoded(), "AES");
+					PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray());
+					SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK");
+					PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec);
+					
 					
+					SecureRandom random = new SecureRandom();
+					KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK");
+					
+					PBEKeyAndParameterSpec parameterSpec =
+							   new PBEKeyAndParameterSpec(pbeKey.getEncoded(),
+									   					  "TestSALT".getBytes(),
+							                              2000,
+							                              16);
+						
+					pbkdf2.init(parameterSpec, random);
+					SecretKey derivedKey = pbkdf2.generateKey();
+					
+					SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME);
+					SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK");
+					secret = kf.generateSecret(spec);
 					
 			} else {
 				Logger.warn("MOASession encryption is deaktivated.");
@@ -61,41 +85,47 @@ public class SessionEncrytionUtil {
 		
 	}
 	
-	public static byte[] encrypt(byte[] data) throws BuildException {
+	public static EncryptedData encrypt(byte[] data) throws BuildException {
 		Cipher cipher;
 		
 		if (secret != null) {
 			try {
-				cipher = Cipher.getInstance("AES/ECB/"+"ISO10126Padding");
+				cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
 			    cipher.init(Cipher.ENCRYPT_MODE, secret);
 				
 			    Logger.debug("Encrypt MOASession");
-			    return cipher.doFinal(data);
+			    
+			    byte[] encdata = cipher.doFinal(data);
+			    byte[] iv = cipher.getIV();
+			    
+			    return new EncryptedData(encdata, iv);
 			    
 			} catch (Exception e) {
 				Logger.warn("MOASession is not encrypted",e);
 				throw new BuildException("MOASession is not encrypted", new Object[]{}, e);
 			}
 		} else
-			return data;
+			return new EncryptedData(data, null);
 	}
 	
-	public static byte[] decrypt(byte[] data) throws BuildException {
+	public static byte[] decrypt(EncryptedData data) throws BuildException {
 		Cipher cipher;
 		
 		if (secret != null) {
 			try {
-				cipher = Cipher.getInstance("AES/ECB/"+"ISO10126Padding");
-			    cipher.init(Cipher.DECRYPT_MODE, secret);
+				IvParameterSpec iv = new IvParameterSpec(data.getIv());
+				
+				cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
+			    cipher.init(Cipher.DECRYPT_MODE, secret, iv);
 				
 			    Logger.debug("Decrypt MOASession");
-			    return cipher.doFinal(data);
+			    return cipher.doFinal(data.getEncData());
 			    
 			} catch (Exception e) {
 				Logger.warn("MOASession is not decrypted",e);
 				throw new BuildException("MOASession is not decrypted", new Object[]{}, e);
 			}
 		} else
-		return data;
+		return data.getEncData();
 	}
 }
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-01-31 08:42:39 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-01-31 08:42:39 +0100
commit	9e75e06b799e2baeae88a9e4b0e16acf0e292965 (patch)
tree	d205ff7b71a70b3e8672fd8acd97107013eaa7a9 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
parent	d4a8d57e4cd10fc7e427f936983ae7c28aa6eab2 (diff)
download	moa-id-spss-9e75e06b799e2baeae88a9e4b0e16acf0e292965.tar.gz moa-id-spss-9e75e06b799e2baeae88a9e4b0e16acf0e292965.tar.bz2 moa-id-spss-9e75e06b799e2baeae88a9e4b0e16acf0e292965.zip