0

I am using the same code on Java SE and Android project. The apps running in Java and Android connect to the same MQTT broker and exchange messages. The messages are encrypted/decrypted using AES. I have very little experience with Java Security Architecture, so my questions are:

1) What should I expect if I use the same Cipher algorithm, but from different providers (one on Java and another on Android)? Does using a different provider to decrypt a message encrypted with another provider automatically mean that the message won't be decrypted successfully?

2) What would be a recommended provider to use that would allow Java and Android applications to communicate correctly in this case? I have seen some answers online, but some are relatively old, so I'm not sure if they are still best answers.

Improve this question
3
  • 2
    AES is a standard. Assuming you are using the same secret it should not matter whose implementation you are using Commented Mar 13, 2015 at 9:40
  • There are of course differences between the providers when the algorithm is not fully specified. Don't forget to specify the mode of operation and the padding. Don't use Cipher.getInstance("AES");, but rather Cipher.getInstance("AES/CBC/PKCS5Padding"); or even better authenticated encryption such as GCM or CCM which is provided by BouncyCastle. Commented Mar 13, 2015 at 10:09
  • Use BouncyCastle on Java SE and SpongyCastle on Android. Same version. Commented Mar 13, 2015 at 10:25

1 Answer 1

Reset to default
1

What should I expect if I use the same Cipher algorithm, but from different providers (one on Java and another on Android)?

The same result.

Does using a different provider to decrypt a message encrypted with another provider automatically mean that the message won't be decrypted successfully?

No.

2) What would be a recommended provider to use that would allow Java and Android applications to communicate correctly in this case?

The one built into the JRE, assuming it supports AES.

But I'm wondering why you aren't using SSL.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for your answer. Enabling SSL is in the pipeline. In terms of the provider used, would you then recommend that I don't specify a provider name in the code, but to let the code use a default provider? Would that work 100% of the time?
If it works at all on both ends it should work 100% of the time. That doesn't absolve you from having to test it yourself. You'd be better off jumping straight to SSL. No point in building two incompatible versions of the product, one with dubious security.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.