Android Question Different BYTE() result from 2 Instances of B4XCIPHER

[Gianni Sassanelli]

Hi
as subject i get two different result if i call form more time the some function for encrypt my string
Is this correct?
I expected to always have the same byte array

If this is the correct behavior, how can I always get the same byte array?
thank's

the example is following

    Dim EncryptedData() As Byte

    Dim c As B4XCipher
    Dim myString, myPassword As String

    Log("Start test ==============")
    myString       = "abc"
    myPassword = "1234"
    Log("1° test >>")
    EncryptedData = c.Encrypt(myString.GetBytes("utf8"), myPassword)
    Log("First Time    byte Length: " & EncryptedData.Length)
    For N = 0 To EncryptedData.Length-1
         Log(EncryptedData(N))
    Next
    EncryptedData = c.Encrypt(myString.GetBytes("utf8"), myPassword)   ' note the some string and password
    Log("Second Time    byte Length: " & EncryptedData.Length)
    For N = 0 To EncryptedData.Length-1
            Log(EncryptedData(N))
    Next   

    EncryptedData = c.Encrypt(myString.GetBytes("utf8"), myPassword)   ' note the some string and password
    Log("third Time    byte Length: " & EncryptedData.Length)
    For N = 0 To EncryptedData.Length-1
            Log(EncryptedData(N))
    Next

 

[OliverA]

If this is the correct behavior, how can I always get the same byte array?

B4XCipher uses a different "salt" when encrypting data. The encrypted data is prefixed with this salt to allow the decryption algorithm to work properly. This is by design. If you want something that encrypts without a salt, then one method would be to use @agraham's encryption library and do your own encryption. I would not recommend that though, since there are reasons for using a salt in encryption.

Links:
@agraham's encryption library: https://www.b4x.com/android/forum/threads/base64-and-encryption-library.6839/
An article about encryption and the use of salt: https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/

 

[agraham]

Initialisation Vectors in the Cipher object in the Encryption library serve the same purpose as a salt except you can define your own whereas B4XCipher chooses its own random one and prepends it to the result of the encryption. By using different IVs you ensure that the same string when encrypted twice does not produce the same result which is a good security measure.

 

[Gianni Sassanelli]

OK thank's for your explanation Agrahm and OliverA.

I would need to be able to encrypt a string to save some passwords.

The problem is that if the hash of the encrypted string always changes I can never compare a user entered password with one just saved in the db.
Could you advise me how to do it?

 

[agraham]

Use Cipher from the Enctyption library and use the same IV every time.

 

[sirjo66]

You can also use a fixed "salt" and then use MD5, SHA-1, SHA-256 or other.
So you can compare the result with the data in database

 

[Erel]

As @sirjo66 wrote, good practice is to use a hash function for this, and save the hash of (password + salt).

 

[Gianni Sassanelli]

tks Sirjo and Erel.
I had WRONGLY understood that the password was salt