I am aware that DES is considered as an insecure algorithm for encryption at the moment. So does that imply that we should stop using the class DESKeySpec in JCA for specifying a key for encryption? More specifically, is the below code snippet insecure due to the usage of DESKeySpec? If yes, why, and how should I rectify it?
public void setPassword(String p) throws FacesException {
byte\[\] s`your text`={(byte)0xA9,(byte)0x9B,(byte)0xC8,(byte)0x32,(byte)0x56,(byte)0x34,(byte)0xE3,(byte)0x03};
try {
KeySpec keySpec=new DESKeySpec(p.getBytes("UTF8"));
SecretKey key=SecretKeyFactory.getInstance("DES").generateSecret(keySpec);
e=Cipher.getInstance(key.getAlgorithm());
d=Cipher.getInstance(key.getAlgorithm());
e.init(Cipher.ENCRYPT_MODE,key);
d.init(Cipher.DECRYPT_MODE,key);
}
catch ( Exception e) {
throw new FacesException("Error set encryption key",e);
}
}
Yes, DES is very insecure, and shouldn't be used in any new projects. Any new project should be using AES unless you have a very strong and informed reason for something else.
However, what you should do about the above code completely depends on what it's being used for. If this code is interoperating with a system that requires DES, you can't just change it without changing the other side as well. Similarly, if you have existing data encrypted in DES, you'll need a way to continue to decrypt that. You can't just swap AES for DES and have exiting encryptions continue to work. There are important systems in the world that still use DES (credit card magnetic stripes being probably the most ubiquitous).
That said, you can't just swap "AES" into the above code and have a secure cryptosystem. You need to choose a proper mode, a random IV, most likely a KDF, and some kind of authentication. Encryption algorithms like DES and AES are very low-level tools that are easy to misuse. They are just one piece of a secure cryptosystem. The proper solution depends on your specific situation, particularly what kinds of interoperability you need.