Is AES encryption/decryption free for use in commercial applications (Java API)? How to encode (not hash) and store plain password safely?

Question

I want to encrypt/decrypt password to store it in database by using AES (Java API) like this:

try {
       SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
       byte[] salt = new byte[10];
       secureRandom.nextBytes(salt);
       byte[] encryptedPassword = //some method to mix salt with plain password
       Cipher cipher = Cipher.getInstance("AES");
       SecretKeySpec skeySpec = new SecretKeySpec(secretKey.getEncoded(), "AES");
       cipher.init(Cipher.ENCRYPT_MODE, skeySpec);

       return cipher.doFinal(encryptedPassword);

     } catch (NoSuchAlgorithmException |
              UnsupportedEncodingException |
              NoSuchPaddingException |
              InvalidKeyException |
              IllegalBlockSizeException |
              BadPaddingException ex) {
                 //Logger...
     }

My questions are - can I use AES in commercial application for free? How can be improved the code above?

This question appears to be off-topic because it is about software licensing. — erickson, Aug 22 '13 at 20:43
Found in Wikipedia: "There are various implementations of the Advanced Encryption Standard, also known as Rijndael. (...) Rijndael is free for any use public or private, commercial or non-commercial.". So it looks like a green light :) — Ernestas Gruodis, Aug 22 '13 at 20:53
There is no such thing as encrypting password safely. There are major legal issues arising. Ask your corporate attorneys about non-repudiation. Don't do this. — user207421, Aug 23 '13 at 09:47

score 4 · Accepted Answer · answered Aug 23 '13 at 00:38

In 1997 NIST put out a request for potential algorithms to use for AES. In this request, one of the requirements was that the algorithm be royalty-free.

So the algorithm itself is totally free. However, this does not mean that implementations of the algorithm are free.

Oracle's implementation is licensed under the Oracle Binary Code Licence (BCL), which according to the Java SE general FAQ is available free of charge.

So yes, you can use it in a commercial application at no cost.

Thanks for 100% answer. To encrypt password - I like this [solution](http://stackoverflow.com/a/992413/2111085) — Ernestas Gruodis, Aug 23 '13 at 09:17

score 0 · Answer 2 · answered Aug 23 '13 at 00:28

0

Yes, you can use AES for free, although export restrictions could apply for specific countries. This is especially true for the United States.

I would be more worried about your protocol though. Please take a look at questions regarding PBKDF2 and password storage. Furthermore, Java defaults to ECB mode encryption, which is not safe to use for Strings. I don't see you storing the salt together with the ciphertext. Calling secretKey.getEncoded() only to put it into a SecretKeySpec is not very useful, presuming that secretKey is already an AES key.

answered Aug 23 '13 at 00:28

Maarten Bodewes

80,169
13
121
225

1

I think you're about 13 years out of date with the US export restrictions. They were lifted during the Clinton administration. There are *import* restrictions in some countries ... – user207421 Aug 23 '13 at 01:15
Yes, I know it's not safe enough - but before storing the password in database - user will be notified about that (save it or not). It is better to store string hash instead encrypted password, but in this case I need original password string, which was entered by user. – Ernestas Gruodis Aug 23 '13 at 07:48
@EJP They have been partially lifted. Unfortunately they are not gone. There have been many discussions about this. It depends on how the encryption is used or made available. Why do you think that the unlimited jurisdiction files still exist? – Maarten Bodewes Aug 23 '13 at 09:58

Is AES encryption/decryption free for use in commercial applications (Java API)? How to encode (not hash) and store plain password safely?

2 Answers2