New extension for AES encryption


#1

I have rechecked everything and make the extension work again, below there are a new link and a demo.

This extension has been revised and now it is supported by Tozny’s great work about AES encryption, to which I’m debtor for this project .
The AES 128 is encrypted in CBC mode with PKCS5 padding. The cyphertext and random IV generated during the process are kept together, so no need to store the latter somewhere. The integrity of cyphertext is assured by SHA256 , whose digest is kept together with the generated key.

Up to date link:
com.tiziano1960.cryptoextension.aix (28.5 KB)

and here’s the demo
CryptoExtensionDemo.apk (2.2 MB)

How it works:
SetAlgorythm
At present only AES is implemented, so the numeric value possible is “1”

MyPassword
If you want to use a personal password set TRUE else for a random key set FALSE

GenerateStrongKey
attach a password here if MyPassword is TRUE or a blank string if FALSE
then save safely this result somewhere for encryption/decryption process

Encrypt
myPassword param. needs your password if MyPassword is TRUE or a blank string if FALSE
secret param. needs the result of GenerateStrongKey
stringToEncrypt param. needs a string with text to encrypt

Decrypt
myPassword param. needs your password if MyPassword is TRUE or a blank string if FALSE
secret param. needs the result of GenerateStrongKey
stringToDecrypt param. needs a string with a ciphertext generated with Encrypt

Example of use



#2

@Tiziano1960 thanks for your extension


#3

It’s a pleasure! Thank you!


#4

in this case your extension useless… if someone likes to use encryption, then it should be as safe as possible…

Encrypting strings in Android: Let’s make better mistakes
https://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/

If you do a web search for “encrypting Strings in Android”, you’ll find a lot of example code on sites like Stack Overflow, but those examples are wrong. They definitely input a String and output gibberish that looks like encrypted text, but they are subtly insecure and even dangerous. Crypto is tricky: it’s hard to tell that the gibberish that’s being printed is not good crypto, and it’s hard to tell that the code example you picked up from Stack Overflow has serious flaws.

Taifun
https://puravidaapps.com/aes.php


#5

Thanks alot, @Tiziano1960… really appreciate it.


#6

After a while, I had time to review and totally change the extension. Now the encryption is stronger while the algorythm is the same AES with a 128 keysize. I hope to have improved the fisrt attempt and maybe, in future, I would like to add more options.
See the first post for new link


#7

Empty project with only your extension.
Works fine in the companion but can’t build.


#8

I will check tonight, thanks for your report


#9

There’s a conflict which I’ve not been able to identify, yet. I go on experimenting and searching for a solution.


#10

Here I’m, I rechecked my old extension and now it works fine. I enclose a demo too and a new link.
CryptoExtensionDemo.apk (2.2 MB)

here’s the link
com.tiziano1960.cryptoextension.aix (28.5 KB)


#11

@Tiziano1960, i will try it now.

Edit : it works in companion. Is myPassword value in GenerateStrongKey need to be same with myPassword value in Encrypt? or can i use different value?


#12

If you want to use a password it must be the same to generate key, encrypt and decrypt; the result of block GenerateStrongKey has to be used as parameter secret to decrypt/encrypt.
If you do not want use a password but an app generated key (e.g. for an automatic ecryption/decryption process, with no user intervention) set MyPassword false and connect a blank text as parameter for everyone of the blocks instead of real pw.
In both cases you should save the generated secret somewhere inside the app (tinyDB, firebase, ecc), because you need to use it for subsequent operations.
A personal password let you have more security , provided it is not stored inside the app.


#13

Anyway here’s the aia file of the demo
CryptoExtensionDemo.aia (52.8 KB)


#14

Thank you for explaining. So, secret = salt, myPassword = password/key, is my term correct?

If i want user generate this salt+key to secure data when communicate with server, that means that i need to send both Secret and myPassword value to server, right? Any ideas how to do this safely?

As for myPassword, i can left it to user to fill, but is it safe to save Secret in tinydb? Is it alright if i save encrypted Secret inside tinydb with same general key for all users?

Thank you in advance.


#15

secret param can be a random generate key or a combination of salt/password (when the pw is not null)
I consider this encryption method more usefull to store/retrieve data than to share them, if that is the case, youd better use an asymmetrical encryption algorythm, with a public and private key.. Everyway, your secret should be saved , because it is a long string of chars, impossible to keep in mind. It depends on you to choose the best compromise between security and practicality, As to send it to an external database, I do not think its a good idea.


#16

I see. Thanks for explaining, @Tiziano1960 :relaxed:


#17

Hi… I want decrypt frame in PHP (server side not on android)
does anyone know how to do it?


#19

@Tiziano1960 , i would to ask you your support about the use of the extension.
I am trying to save the strong key on a file, in oder to decrypt some data, also saved in some files n the smartphone with the same strong key.
I would also to specify that the app is closed and after opened (This is the reason about the files).

I was able to do this, so I import the file with data to encrypt and the strong key in order to decrypt them with some files in my app, but what is strange is that the app is not able to decrypt the data.

Is possible that your extension works only if we generate a new strong key everytime that we need to launch the app?.

Thanks in advance for your support.
BR,
Ansel’s corp
Global communcation team.