Implementing Secure Encryption for Payment Platforms: DES, 3DES, AES, RSA and TLS on Android
This article explains how to protect payment platform data by using symmetric (DES, 3DES, AES) and asymmetric (RSA) encryption, key‑storage strategies, TLS transport security, and anti‑tampering signatures, with complete Java code examples for Android.
Payment Platform Security Overview
Secure transactions are a core requirement for e‑commerce products, and the payment system is the key component that protects both information flow and fund flow. Protecting terminal data is the first line of defense for third‑party payment providers.
Symmetric Encryption
Two main symmetric algorithms are discussed: DES and its successor 3DES, as well as AES.
DES
DES uses a short 56‑bit key and is vulnerable to brute‑force attacks, but it is still illustrated for legacy configuration encryption.
public static String encryptByDES(String plain, String encryKey) throws Exception {
Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
DESKeySpec desKeySpec = new DESKeySpec(encryKey.getBytes("UTF-8"));
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
SecretKey secretKey = keyFactory.generateSecret(desKeySpec);
IvParameterSpec iv = new IvParameterSpec(encryKey.getBytes());
cipher.init(Cipher.ENCRYPT_MODE, secretKey, iv);
return new String(Base64.encode(cipher.doFinal(plain.getBytes("UTF-8")));
}public static String decryptByDES(String encryString, String decodeKey) throws Exception {
IvParameterSpec iv = new IvParameterSpec(decodeKey.getBytes());
SecretKeySpec skeySpec = new SecretKeySpec(decodeKey.getBytes(), "DES");
Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, skeySpec, iv);
byte[] byteMi = Base64.decode(decryString.toCharArray());
byte[] decryptedData = cipher.doFinal(byteMi);
return new String(decryptedData);
}3DES
3DES applies three DES operations with three keys (K1, K2, K3) to increase security.
public static String encryptBy3DES(String plain, String secretKey) throws Exception {
DESedeKeySpec spec = new DESedeKeySpec(secretKey.getBytes());
SecretKeyFactory keyfactory = SecretKeyFactory.getInstance("desede");
SecretKey deskey = keyfactory.generateSecret(spec);
Cipher cipher = Cipher.getInstance("desede/CBC/PKCS5Padding");
IvParameterSpec ips = new IvParameterSpec(iv.getBytes());
cipher.init(Cipher.ENCRYPT_MODE, deskey, ips);
byte[] encryptData = cipher.doFinal(plain.getBytes("UTF-8"));
return Base64.encodeToString(encryptData, Base64.DEFAULT);
}public static String decryptBy3DES(String encryString, String secretKey) throws Exception {
DESedeKeySpec spec = new DESedeKeySpec(secretKey.getBytes());
SecretKeyFactory keyfactory = SecretKeyFactory.getInstance("desede");
SecretKey deskey = keyfactory.generateSecret(spec);
Cipher cipher = Cipher.getInstance("desede/CBC/PKCS5Padding");
IvParameterSpec ips = new IvParameterSpec(iv.getBytes());
cipher.init(Cipher.DECRYPT_MODE, deskey, ips);
// ... decryption logic similar to DES ...
}AES
AES replaces DES due to its longer key length and better performance. The implementation is similar to DES but uses "AES/ECB/PKCS5Padding".
public static String encryptByAES(String plain, String secretKey) {
try {
SecretKeySpec spec = new SecretKeySpec(secretKey.getBytes("UTF-8"), "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, spec);
byte[] crypted = cipher.doFinal(plain.getBytes());
return new String(Base64.encode(crypted, Base64.NO_WRAP));
} catch (Exception e) {
return "";
}
}public static String decryptByAES(String encryString, String secretKey) {
try {
SecretKeySpec spec = new SecretKeySpec(secretKey.getBytes("UTF-8"), "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, spec);
byte[] output = cipher.doFinal(Base64.decode(encryString, Base64.NO_WRAP));
return new String(output);
} catch (Exception e) {
return "";
}
}Key Storage Strategies
Three practical approaches are suggested: (1) store the generated key in a file or Android SharedPreferences, (2) retrieve the key from a server based on device identifiers (not recommended due to network unreliability), and (3) embed the key in native (NDK) code with obfuscation.
Asymmetric Encryption (RSA)
RSA provides a public‑private key pair for encrypting small data blocks, such as dynamic keys or signatures.
public static void genKeyPair() throws NoSuchAlgorithmException {
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
keyPairGen.initialize(1024, new SecureRandom());
KeyPair keyPair = keyPairGen.generateKeyPair();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
String publicKeyString = new String(Base64.encodeBase64(publicKey.getEncoded()));
String privateKeyString = new String(Base64.encodeBase64(privateKey.getEncoded()));
}public static byte[] encryptByPubKey(byte[] plain, byte[] publicKey) throws Exception {
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKey);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey pubKey = keyFactory.generatePublic(keySpec);
Cipher cp = Cipher.getInstance("RSA/None/PKCS1Padding");
cp.init(Cipher.ENCRYPT_MODE, pubKey);
return cp.doFinal(plain);
}public static byte[] decryptByPrivKey(byte[] encrypted, byte[] privateKey) throws Exception {
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKey);
KeyFactory kf = KeyFactory.getInstance("RSA");
PrivateKey keyPrivate = kf.generatePrivate(keySpec);
Cipher cp = Cipher.getInstance("RSA/None/PKCS1Padding");
cp.init(Cipher.DECRYPT_MODE, keyPrivate);
return cp.doFinal(encrypted);
}Transport Security (TLS)
TLS protects data in transit. The Android implementation loads a X.509 certificate, creates a TrustManager, initializes an SSLContext, and establishes a socket with a TLS handshake.
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(new ByteArrayInputStream(caPath.getBytes()));
Certificate ca = cf.generateCertificate(caInput);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
SocketAddress sockaddr = new InetSocketAddress("localhost", 80);
Socket socket = context.getSocketFactory().createSocket();
socket.connect(sockaddr, 60 * 1000);
socket.startHandshake();Anti‑Tampering and Signature
To prevent data tampering, the client signs sorted parameters using MD5, encrypts the digest with the server’s public RSA key, and sends both the ciphertext and the original data. The server verifies the signature by decrypting with its private key, recomputing the MD5 digest, and comparing the values.
String param = param.replaceFirst("&", "");
String signValue = Md5Utils.md5(param);
param = param + "&sign=" + signValue;Verification repeats the sorting, MD5 calculation, RSA decryption, and comparison steps.
Conclusion
The article provides a complete guide to implementing encryption, key management, TLS transport, and signature‑based anti‑tampering for payment platforms on Android, illustrating each technique with practical Java code.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.