{"id":529,"date":"2009-06-12T10:08:55","date_gmt":"2009-06-12T16:08:55","guid":{"rendered":"http:\/\/www.mooreds.com\/wordpress\/archives\/000529"},"modified":"2009-06-13T09:44:00","modified_gmt":"2009-06-13T15:44:00","slug":"gwt-encryption-options","status":"publish","type":"post","link":"https:\/\/www.mooreds.com\/wordpress\/archives\/529","title":{"rendered":"GWT encryption options"},"content":{"rendered":"<p>I was looking for an encryption package for GWT.\u00a0 A client had some mildly private information that they wanted to encrypt in transmission.\u00a0 Now, of course, this is ultimately futile.\u00a0 Anyone who wants to get at this information can, because we send the source code (however obfuscated) that decrypts the information to the client.\u00a0 To borrow Corey Doctorow&#8217;s words, <a href=\"http:\/\/craphound.com\/msftdrm.txt\">the attacker is also the recipient<\/a>.\u00a0 But, sometimes just making getting the information inconvenient is good enough.<\/p>\n<p>I looked at a couple of encryption options.\u00a0 There&#8217;s are a couple of nice javascript libraries that do encryption: <a href=\"http:\/\/github.com\/markpercival\/gibberish-aes\/tree\/master\">Gibberish-AES<\/a> and <a href=\"https:\/\/sourceforge.net\/projects\/clipperzlib\">javascript.crypto.library<\/a>, but they hav no GWT hooks (and javascript.crypto.library is released under the <a href=\"http:\/\/en.wikipedia.org\/wiki\/Affero_General_Public_License\">AGPL<\/a> which has some unclear legal ramifications).<\/p>\n<p>However, there is a project from about two years ago that does Triple DES encryption and is written in pure GWT.\u00a0 It&#8217;s even called <a href=\"http:\/\/code.google.com\/p\/gwt-crypto\/\">gwt-crypto<\/a>.\u00a0 Unfortunately, it hasn&#8217;t been maintained recently.\u00a0 I was able to download the files, apply a fix (for <a href=\"http:\/\/code.google.com\/p\/gwt-crypto\/issues\/detail?id=1\">issue #1<\/a>) and move some files around in such a way that it works.<\/p>\n<p>Here&#8217;s how you use it:<\/p>\n<p>on the server:<br \/>\n<code>TripleDesCipher cipher = new TripleDesCipher();<br \/>\ncipher.setKey(Constants.GWT_DES_KEY);<br \/>\ntry {<br \/>\nenc = cipher.encrypt(String.valueOf(value));<br \/>\n} catch (DataLengthException e1) {<br \/>\ne1.printStackTrace();<br \/>\n} catch (IllegalStateException e1) {<br \/>\ne1.printStackTrace();<br \/>\n} catch (InvalidCipherTextException e1) {<br \/>\ne1.printStackTrace();<br \/>\n}<\/code><\/p>\n<p>On the client, make sure you inherit the module:<br \/>\n<code>&lt;inherits name='com.googlecode.gwt.crypto.Crypto'\/&gt;<\/code><br \/>\nThen:<\/p>\n<p><code>TripleDesCipher cipher = new TripleDesCipher();<br \/>\ncipher.setKey(Constants.GWT_DES_KEY);<br \/>\nString dec =\"\";<br \/>\ntry {<br \/>\ndec = cipher.decrypt(enc);<br \/>\n} catch (DataLengthException e) {<br \/>\ne.printStackTrace();<br \/>\n} catch (IllegalStateException e) {<br \/>\ne.printStackTrace();<br \/>\n} catch (InvalidCipherTextException e) {<br \/>\ne.printStackTrace();<br \/>\n}<\/code><\/p>\n<p>I just use a constant DES key, which is not all that secure.\u00a0 I&#8217;m sure you could do something more secure like hashing the request time, filename and some other secret key, but you need to make sure that both the server and the client agree on the key, otherwise you&#8217;ll not be able to decrypt the info.<\/p>\n<p><em>Update 6\/13: I got permission from the project owner to update the google project, so I&#8217;ve done that.\u00a0 You can download the <a href=\"http:\/\/code.google.com\/p\/gwt-crypto\/downloads\/list\">new gwt-crypto jar there<\/a>.<br \/>\n<\/em><\/p>\n<p><em><strike>The modified gwt-crypto jar file is here.\u00a0 I&#8217;m hoping the administrator will let me at least check in the changes I&#8217;ve made so that it works on GWT 1.5.3 (can&#8217;t speak for GWT 1.6).<\/strike><\/em><\/p>\n<p>[tags]gwt,tripledes encryption,hiding in plain sight[\/tags]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was looking for an encryption package for GWT.\u00a0 A client had some mildly private information that they wanted to encrypt in transmission.\u00a0 Now, of course, this is ultimately futile.\u00a0 [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,2],"tags":[],"class_list":["post-529","post","type-post","status-publish","format-standard","hentry","category-gwt","category-technology-and-society"],"_links":{"self":[{"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/posts\/529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/comments?post=529"}],"version-history":[{"count":1,"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/posts\/529\/revisions"}],"predecessor-version":[{"id":612,"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/posts\/529\/revisions\/612"}],"wp:attachment":[{"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/media?parent=529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/categories?post=529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/tags?post=529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}