https://kotlinlang.org logo
#getting-started
Title
# getting-started
c

Colton Idle

07/07/2022, 4:07 PM
Not sure if this is the right spot, but is there a reputable library for Kotlin for public key RSA encryption? I just need to encrypt a string. My iOS team is using https://github.com/TakeScoop/SwiftyRSA but i cant find something like that for kotlin.
o

Oliver.O

07/07/2022, 4:14 PM
c

Colton Idle

07/07/2022, 5:53 PM
thanks! I was pretty excited to use it, but reading through the docs makes it seem pretty darn confusing.
e

ephemient

07/07/2022, 6:06 PM
on JVM/Android, you'd just use JCA
c

Colton Idle

07/07/2022, 6:13 PM
JCA... Got it. Will look it up. Thanks!
e

ephemient

07/07/2022, 6:18 PM
it's built into Java: https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html once upon a time, US didn't permit exports of strong crypto, so you had to install a separate JCE component. but now the basic stuff such as RSA is pre-packaged as part of the JRE (and Android runtime)
c

Colton Idle

07/07/2022, 6:18 PM
cool. so i think something like this should work
something about copying encryption code from stackoverflow seems so wrong. lol
e

ephemient

07/07/2022, 6:20 PM
raw RSA like that has some known vulnerabilities
you'd more commonly use
Cipher.getInstance("RSA/ECB/PKCS1Padding")
or something along those lines, but I'm not an expert on which modes are considered secure
c

Colton Idle

07/07/2022, 6:31 PM
Interesting. So people just really pass a string into Cipher.getInstance? Seems like some of this stuff you'd want some type safety, etc.
e

ephemient

07/07/2022, 6:31 PM
note that due to https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_codebook_(ECB) it's not recommended to use ECB on anything larger than a block. for larger messages, RSA is typically only used to encrypt a shared secret key
c

Colton Idle

07/07/2022, 6:32 PM
yeah. i just have a name that im trying to encrypt lol. so its short
e

ephemient

07/07/2022, 6:33 PM
yes, it's string-based. kind of necessary because of how flexible it is - it was designed so that you could install full-strength JCE afterwards, and there's still providers like Bouncy Castle
o

Oliver.O

07/07/2022, 6:33 PM
The thing with crypto is: If it seems easy to code, it is often easy to hack, due to some subtle oversight (or two, or three). Unfortunately this stuff is outdated, but if you're interested, you might get the idea: https://bettercrypto.org/#theory
c

Colton Idle

07/07/2022, 6:35 PM
Alright. I will try this out. thanks everyone.
does anyone know if there is a list of what JCA supports for it's Ciphers? Like I'm mostly looking for what variations of Cipher.getInstance("RSA/ECB/PKCS1Padding") are available.
c

Colton Idle

07/07/2022, 9:19 PM
❤️
o

Oliver.O

07/07/2022, 9:23 PM
As JCA is full of insecure combinations, you might still want to consider this:
WARNING: The JCA makes it easy to incorporate security features into your application. However, this document does not cover the theory of security/cryptography beyond an elementary introduction to concepts necessary to discuss the APIs. This document also does not cover the strengths/weaknesses of specific algorithms, not does it cover protocol design. Cryptography is an advanced topic and one should consult a solid, preferably recent, reference in order to make best use of these tools.
You should always understand what you are doing and why: DO NOT simply copy random code and expect it to fully solve your usage scenario. Many applications have been deployed that contain significant security or performance problems because the wrong tool or algorithm was selected.
https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#Introduction
The chapter on hybrid encryption in Tink does not recommend any RSA combination for asymmetric encryption: https://developers.google.com/tink/hybrid
a

Anmol Verma

12/01/2022, 1:14 PM
Hi @Colton Idle i have created one for my needs it supports android, ios and jvm and it uses Google Tink hybrid encryption along with RSA, it works well on android, jvm backend and desktop app, but fails to decrypt on ios using encrypted data from the backend server. But individual test cases on the platforms pass! here’s the repo https://github.com/oianmol/capillary-kmp
👍 1
2 Views