How to use CipherOutputStream correctly to encrypt and decrypt log created with log4j (RollingFileAppender)
Looks pretty good. Are you resetting/initializing the cipher object for every message? You probably don't want to do that, but if you do then you need to think carefully about the structure of the cipher file, because the decryptor needs to know where the message boundaries are.
ordinarydot
Updated on July 18, 2022Comments
-
ordinarydot almost 2 years
I have a problem in encrypting/decrypting log file generated by log4j's RollingFileAppender. For the encryption I have tried to extend the RollingFileAppender, just call it EncryptedRollingFileAppender. I override the method
setFile(String fileName, boolean append, boolean bufferedIO, int bufferSize)
and basically I use CipherOutputStream and Base64OutputStream to encrypt and encode everything written to the output stream. Here's part of the code:
... setImmediateFlush(true); FileOutputStream ostream = null; CipherOutputStream cstream = null; Base64OutputStream b64stream = null; try { byte[] keyBytes = "1234123412341234".getBytes(); //example final byte[] ivBytes = new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }; //example final SecretKey key = new SecretKeySpec(keyBytes, "AES"); final IvParameterSpec IV = new IvParameterSpec(ivBytes); final Cipher cipher = Cipher.getInstance("AES/CFB8/NoPadding"); cipher.init(Cipher.ENCRYPT_MODE, key, IV); ostream = new FileOutputStream(fileName, true); b64stream = new Base64OutputStream(ostream); cstream = new CipherOutputStream(b64stream, cipher); } catch(Exception ex) { ex.printStackTrace(); } Writer cw = createWriter(cstream); ...
And then i decrypt the file with this code:
private static void decryptFile(String filename) throws Exception { FileInputStream fis = null; BufferedReader br = new BufferedReader(new FileReader(filename)); File file = new File(filename + "-decrypted"); file.createNewFile(); Writer out = new OutputStreamWriter(new FileOutputStream(filename + "-decrypted"), "UTF-8"); String line = null; try { while (( line = br.readLine()) != null){ line = decrypt(Base64.decodeBase64(line)); out.write(line); } } catch (Exception e) { e.printStackTrace(); } finally { if (br != null) { br.close(); } if (fis != null) { fis.close(); } if (out != null) { out.close(); } } } public static String decrypt(byte[] line) throws Exception { byte[] keyBytes = "1234123412341234".getBytes(); final byte[] ivBytes = new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }; final SecretKey secretkey = new SecretKeySpec(keyBytes, "AES"); final IvParameterSpec IV = new IvParameterSpec(ivBytes); final Cipher decipher = Cipher.getInstance("AES/CFB8/NoPadding"); decipher.init(Cipher.DECRYPT_MODE, secretkey, IV); final byte[] plainText = decipher.doFinal(line); return new String(plainText, "UTF-8").trim(); }
It worked but only partially. Some texts in the result file were decrypted correctly but some others were not. If you're curious, this is what I mean by partially:
07 Jul 11 13:13:13, DEBUG MrBean.java:checkUserVal���̥V;��ƃ�˨�� - username: squall,password: 4GROmr95Qcf����v�M�7�y�5�@CGO09 ,active: true
I also have tried changing the algorithm to "DESede" but it was still partially decrypted. Then I tried to use "CBC/PKCS5Padding" in both ends but I got an exception
javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher
I assume the encryption is not properly padding the input but I wonder why... because when I use the same encryption and decryption algorithms without the CipherOutputStream the padding worked just fine. Anyone can help me to make this works? Any help will be appreciated.
PS: Sorry for my English, it's not my native language.
-
ordinarydot almost 13 yearsNot for every message, but I think there are some cases where the cipher is reinitialized. It shouldn't be a problem if the key, IV, algorithm, block cipher mode and padding weren't changed, right? (just like example code above)
-
President James K. Polk almost 13 yearsIt is a problem. To simplify greatly, the "IV" you need to use is different for different positions in the cipher stream. See the wikipedia page for details
-
ordinarydot almost 13 yearsThanks for reply. Hm, I thought it would work if I use the same IV, it was only for testing anyway. But if it must be different, that would make everything more complicated I guess. I must write the IV in the file, add message delimiter, etc. What about the padding that didn't work? Do you have any clue?
-
President James K. Polk almost 13 years@ordinarydot: I agree, using separate message entities is much more complicated. The NoPadding works fine, the problem is almost certainly entirely due to reseting the the cipher instance.
-
ordinarydot almost 13 yearsIt's already working now. I took a different approach though. Now I extends all the classes to log4j's WriteAppender and then I simply put all the encryption and encoding directly in the writers. Dealing with CipherOutputStream with no knowledge what's going on is too much I guess. Now I used AES/ECB/PKCS5Padding but I plan to change it to CBC. Use different IV for each message and add necessary changes. Well, thanks a lot Greg, for all the help.
-
ordinarydot almost 13 yearsOh yeah, I didn't use the NoPadding because there were still incorrectly decrypted part. Only a small part though, unlike before, in the end of some line.
-
Evgeniy Mishustin almost 8 yearsI've got the same problem. Is there a solution ?