en-/decrypting files with java

Thread view:

gbgkille69@spray.se - 20 Mar 2006 08:59 GMT

Hello,

I wrote an application to encrypt files with help of java.

I use PBEWithMD5AndTripleDES, 8-byte Salt, iterationCount = 1000;

I takes only a few seconds to crypt a 100 mb file but when I do the
same with e.g. czip it takes almost a minute?

How "secure" is my encrypted file? should I use some other method than
PBEWithMD5AndTripleDES? and which paramters in that case?

Also how future prove are files encrypted with java. I use it to store
personal data on cd roms. Will I be able to decrypt files in 5, 10
years?

Do you have any experiences?

What else could you suggest? It is for my private and personal use so I
don't want to spent much money. Furthermore it should be possible to
run in command line mode.

Thanks in advance.

Reply to this Message

Oliver Wong - 20 Mar 2006 22:00 GMT

> Hello,
>
[quoted text clipped - 7 lines]
> How "secure" is my encrypted file? should I use some other method than
> PBEWithMD5AndTripleDES? and which paramters in that case?

If it's for your "private and personal use" (as you mention later on in
your post), presumably, you won't have highly skilled cryptanalyst trying to
defeat your system. What do you intend to use it for? E.g. keeping younger
siblings from messing with your stuff? e-mailing encrypted documents to
friends "just for fun"? Something else?

> Also how future prove are files encrypted with java. I use it to store
> personal data on cd roms. Will I be able to decrypt files in 5, 10
> years?

Well, what if Sun suddenly decides to change the implementation of their
encryption API so as not to be backwards compatible? If you can decrypt the
files now, you should be able to decrypt them again in 10 years, unless the
decryption program uses the current time or date as part of its logic.

> Do you have any experiences?
>
> What else could you suggest? It is for my private and personal use so I
> don't want to spent much money. Furthermore it should be possible to
> run in command line mode.

Encryption is tough to get right. If you really want security, use an
established implementation like GPG.

- Oliver

Reply to this Message

Alun Harford - 21 Mar 2006 05:40 GMT

> Hello,
>
[quoted text clipped - 7 lines]
> How "secure" is my encrypted file? should I use some other method than
> PBEWithMD5AndTripleDES? and which paramters in that case?

Providing you trust the implementation, and that you've got the parameters
right, and that the key isn't going to walk, etc, etc, etc...
Then it's as secure as 3DES. The NSA was heavily involved in creating DES,
and is known to be hostile to civilian crypto (Clipper, etc). DES is
convoluted enough that it could well have been designed to have a subtle
weakness. It seems like a reasonable (if paranoid) assumption that the NSA
and their ilk have broken 3DES.
Civilians are probably 20 to 25 years behind the security services in
crypto, so you can assume (if you're a paranoid person - and in security,
you should be) that the file WILL be readable by anybody in about 20 years,
and possibly sooner.

However, I'd be far more worried about more subtle attacks. If you're trying
to protect yourself against a serious attacker, I'd bet you have no
protection against Tempest threats, or a legal threats, or simply breaking
your door down and putting a gun to your head and demanding the key. If your
opponent isn't serious, why do you care how strong your crypto scheme is?

This isn't an easy thing to get right. Adding crypto doesn't usually add any
real security.

Alun Harford

Reply to this Message

en-/decrypting files with java

Free Magazines