Jasypt Users Forum

Jasypt
 » 
Jasypt - Users

BasicTextEncryptor() pattern develops in resulting strings after many encryptions, even from different instances

View: New views
2 Messages — Rating Filter:   Alert me  

BasicTextEncryptor() pattern develops in resulting strings after many encryptions, even from different instances

by borfnorton :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi,
I am building an application that encrypts 3 strings per "item". There are well over 100,000 unique items. Each "item" has a unique password.

After a couple thousand unique uses of BasicTextEncryptor() (unique instances), a pattern begins to develop in the resulting encrypted string that it returns. Run the code below to see what I am referring to:


public String encrypt(String clearText, String password)  {
        BasicTextEncryptor te = new BasicTextEncryptor();
    te.setPassword(password);
    return te.encrypt(clearText);
}

for (int i=0;i<20000;i++) {
        String pw =  new Integer(i).toString() + "password";
        System.out.println(jc.encrypt("Text1", pw));
        System.out.println(jc.encrypt("Text2",  pw));
        System.out.println(jc.encrypt("Text3", pw));
}


If you can run the above, the output towards the end of your console will have data that looks something like this: See the pattern per iteration? Each "block of 3" encryptions per unique password starts to develop the same prefix of characters. Why is this? Is it still secure, should we use something else?


qHzOB11vmOSjj/diZRM73A==
qHzOB11vmOT1iZkYh4wPrQ==
qHzOB11vmOSoB+YmwPXdJA==
QrqvW2s9ZEAN/GGWyrgmVQ==
QrqvW2s9ZECfLddQ3mgD2g==
QrqvW2s9ZEBD04lhsuYQTw==
8La/KX1jNIR3nV6n+Lo72g==
8La/KX1jNITaEQvP2bdHkA==
8La/KX1jNIQRIVE9LglYwg==


Re: BasicTextEncryptor() pattern develops in resulting strings after many encryptions, even from different instances

by borfnorton :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Note that if I slow the loop down and sleep 100ms between each call to encrypt(), this pattern goes away, leading me to believe something internally is based on the current time? Please explain, is this still fairly secure to use?


borfnorton wrote:
If you can run the above, the output towards the end of your console will have data that looks something like this: See the pattern per iteration? Each "block of 3" encryptions per unique password starts to develop the same prefix of characters. Why is this? Is it still secure, should we use something else?

qHzOB11vmOSjj/diZRM73A==
qHzOB11vmOT1iZkYh4wPrQ==
qHzOB11vmOSoB+YmwPXdJA==
QrqvW2s9ZEAN/GGWyrgmVQ==
QrqvW2s9ZECfLddQ3mgD2g==
QrqvW2s9ZEBD04lhsuYQTw==
8La/KX1jNIR3nV6n+Lo72g==
8La/KX1jNITaEQvP2bdHkA==
8La/KX1jNIQRIVE9LglYwg==
Free embeddable forum powered by Nabble Forum Help