Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
258 views
in Technique[技术] by (71.8m points)

java - Double encryption

I am using https://github.com/simbiose/Encryption to encrypt data in my android app.

I thought of double encryption.

String key = "key";
String salt = "someSalt";
byte[] iv = new byte[16];
Encryption encryption = Encryption.getDefault(key, salt, iv);

String encrypted = encryption.encryptOrNull("Some String");

Log.d("Encrypto", "Encryption Level 1 : "+encrypted);

encrypted = encryption.encryptOrNull(encrypted);

Log.d("Encrypto", "Encryption Level 2 : "+encrypted);

String decrypted = encryption.decryptOrNull(encrypted);

Log.d("Encrypto", "Decryption Level 2 : "+decrypted);

decrypted = encryption.decryptOrNull(decrypted);

Log.d("Encrypto", "Decryption Level 1 : "+decrypted);

This works perfectly, but is it recommended?

  1. yes this increases the memory usage to store the encrypted string, but if it makes it more secure, using more memory is pretty okay.
  2. Will i face some problems if i do this ?

Main question: is this a good encryption library? if not please recommend me a better one

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Do you really need to encrypt the data?

https://www.schneier.com/blog/archives/2015/06/why_we_encrypt.html

Why do you want double encryption? There are better ways - for example, a longer key - to add resistance against people performing offline brute force attacks on cipher text.

"Security through obscurity" is a no-no. Go back to the basics of what you need (key length, block size, mode of encryption, when to use a symmetric or asymmetric key) etc.

As you are writing an Android app, I would question..

  • The library is written in Java and makes Java system calls. That will be simple to reverse / hook system calls. Does adding a longer key help harden your app when you can dump the key by hooking an Android system call?
  • your Android Java code is de-compiled to "almost" source code or back to Smali code - then modified - and then re-compiled?
  • How are you intending to distribute the key ? Run-time or statically baked into the code? Is it random or the same key for all app users?
  • Can you leverage Android hardware to persist and protect your key, instead of just having the key in software? https://source.android.com/security/keystore/

If it was my app && I cared about Confidentiality I would use hardware backed encryption (accepting that some older Android devices might not support it) OR use a Native (C) encryption library. The latter gets you wide device support but introduces other issues (JNI boundary, code lifting).

In summary, introducing encryption sounds simple. But do you really need it when it just highlights something interesting is being protected?

PS - You may want to re-post this question on: https://security.stackexchange.com/


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

1.4m articles

1.4m replys

5 comments

57.0k users

...