encryption in Oracle, decryption in Java

[schw]

Hi

I encountered a problem not sure how to solve it. please help if
possible.

in oracle9 I do a simple encryption (using DES) that gives me the
following RAW:

F26D94ECDACDBD111584C7A8A9018A5C

when decrypted I get 36463643363133313332333333343335 which is
correct.

However in java when I try decrypting the
'F26D94ECDACDBD111584C7A8A9018A5C' I get this:

3646364336313331c15fa7dfe9f98e24

First 8 bytes are exactly the same, the other 8 bytes differ, why ?

In Java I use the following code:

Cipher dcipher = null;

dcipher = Cipher.getInstance("DES/ECB/NoPadding");

SecretKey myKey = new SecretKeySpec(_key, "DES");

dcipher.init(_cryptMode, myKey);

return dcipher.doFinal(_buffer);

Obviously keys in both encryption and decryption are the same.

Thanks for any hints.

 

[rossum]

Hi

I encountered a problem not sure how to solve it. please help if
possible.

in oracle9 I do a simple encryption (using DES) that gives me the
following RAW:

Why DES? AES is faster and more secure.

F26D94ECDACDBD111584C7A8A9018A5C

when decrypted I get 36463643363133313332333333343335 which is
correct.

However in java when I try decrypting the
'F26D94ECDACDBD111584C7A8A9018A5C' I get this:

3646364336313331c15fa7dfe9f98e24

This example is now insecure and must be changed in your production
system.

First 8 bytes are exactly the same, the other 8 bytes differ, why ?

DES has a 8 byte blocksize. You are probably using different block
cypher modes at each end so the decryption fails. Given that the
first block decrypts correctly using ECB, it is possible that the
Oracle encryption is CBC with a zero initialisation vector (IV).
Decrypting that with ECB will give the effect you describe.

In Java I use the following code:

Cipher dcipher = null;

dcipher = Cipher.getInstance("DES/ECB/NoPadding");

ECB mode is not secure, I would be surprised if the Oracle code is
using plain ECB. For a literal illustration of the insecurity of ECB
see http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

Try changing to CBC mode:
Cipher dcipher = Cipher.getInstance("DES/CBC/NoPadding");
^^^

CBC mode is more common and more secure than ECB. As I said above,
using ECB to decrypt CBC with a zero IV will give one block of
plaintext followed by gibberish. Using a zero IV is somewhat
insecure, but less insecure than ECB.

You can also try any other modes that your Java implementation allows.
If none of them work then try to find out what mode the Oracle
encryption is using.

Added: I have done a quick hand calculation for the first three bytes
of the second block, my conjecture is probably correct - it looks as
if Oracle is encrypting in CBC mode with a zero IV.

rossum