🔐 AES Encryption and Decryption Logic

This document explains the logic behind using AES (Advanced Encryption Standard) for secure data transmission using a symmetric key. It covers encryption in CBC mode with PKCS5 padding and sample Java code implementation.

🔁 Process Flow

Encryption:

  1. Decode the Base64-encoded symmetric key.
  2. Generate a random IV.
  3. Encrypt the data using the decoded key and IV.
  4. Combine the IV and the encrypted data.
  5. Base64-encode the result for transmission.

Decryption:

  1. Base64-decode the input (IV + ciphertext).
  2. Extract the IV from the beginning.
  3. Decrypt the ciphertext using the same key and IV.
  4. Clean the decrypted result to get the actual payload.

⚠️ Handling Noise in Decrypted Data

To clean post-decryption data, trim it to end at the last valid JSON closing character (`}` or `]`) to avoid malformed results.

🧠 Sample Java Code Implementation:

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Arrays;
import java.nio.charset.StandardCharsets;

public class AESUtils {
    // -------- Encryption Method ----------
    public static String EncryptRequest(Object incomingJsonReq, String key) throws Exception {
        byte[] decodedKey = Base64.getDecoder().decode(key);
        if (decodedKey.length != 32) throw new IllegalArgumentException("Invalid key");

        byte[] iv = new byte[16];
        new SecureRandom().nextBytes(iv);

        byte[] payloadBytes = incomingJsonReq.toString().getBytes();
        SecretKeySpec secretKeySpec = new SecretKeySpec(decodedKey, "AES");
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, new IvParameterSpec(iv));

        byte[] encryptedBytes = cipher.doFinal(payloadBytes);
        byte[] result = new byte[iv.length + encryptedBytes.length];

        System.arraycopy(iv, 0, result, 0, iv.length);
        System.arraycopy(encryptedBytes, 0, result, iv.length, encryptedBytes.length);

        return Base64.getEncoder().encodeToString(result);
    }

    // -------- Decryption Method ----------
    public String decryptRequest(String encryptedString, String key) throws Exception {
        byte[] byteCipherText = Base64.getDecoder().decode(encryptedString);
        byte[] byteKey = Base64.getDecoder().decode(key);

        byte[] iv = Arrays.copyOfRange(byteCipherText, 0, 16);
        byte[] cipherText = Arrays.copyOfRange(byteCipherText, 16, byteCipherText.length);

        SecretKeySpec secretKey = new SecretKeySpec(byteKey, "AES");
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.DECRYPT_MODE, secretKey, new IvParameterSpec(iv));

        byte[] bytePlainText = cipher.doFinal(cipherText);
        return removeNoise(new String(bytePlainText, StandardCharsets.UTF_8).trim());
    }

    private String removeNoise(String data) {
        int lastCurlyBrace = data.lastIndexOf('}');
        int lastSquareBracket = data.lastIndexOf(']');
        int lastIndex = Math.max(lastCurlyBrace, lastSquareBracket);
        return (lastIndex != -1) ? data.substring(0, lastIndex + 1) : data;
    }
}

📌 Conclusion:

The logic explained in this document enables secure encryption and decryption of data using AES in CBC mode. By combining proper key management, secure IV generation, and Base64 encoding for transmission, the method ensures the confidentiality of sensitive information.

Notes:
  • This supports JSON and array of JSON for decryption.
  • Any file in the payload should be passed as-is without encryption.
  • API User Name and key will be provided by the ISU team.