• Post Reply Bookmark Topic Watch Topic
  • New Topic

Java Cryptography Extension

 
Krishna Das
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello People,

In my application I need to store the password in an encrypted format. Can anybody give me pointers on the same?

The basic requirement is that the password should never be decrypted by the application support guys even by knowing the algorithm. Basically I understand that we need to use some kind of keys. But I am unable to continue further due to my lack of knowledge on JCE.

Regards,
Krishna Das
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The usual approach is not to encrypt the password, but to hash (or digest) it using an algorithm like MD5. That way, the password can never be recovered, and you don't need to worry about how to store an encryption key, either.

During login, you'd run the password just entered through MD5 as well, and if it's the same as the stored one, you can assume that the password was the same as the original one.

Here's an example of how to MD5 a string. Note that it creates a byte[], so you should convert it to a string before storing it in a DB; encoding it with base-64 would be good way to do that (Apache Commons Codec has methods for encoding/decoding base-64).
[ August 04, 2008: Message edited by: Ulf Dittmer ]
 
Krishna Das
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you ULF. That was helpful.

Couple of questions.

1) Difference between Sun's implementation and Apache commons codec?
2) Is MD5 the only option? Or could I use something like SHA?

Regards,
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
SHA-1 is OK, but I think some of the older MD algorithms (MD2 or MD4, not sure right now) have been found to be cryptologically weak, so they should be avoided.

Assuming you mean the sun.misc.Base64 class, it's always better not to rely on JDK-internal methods when there's no need to do so. There are other classes for base-64 if you don't want a full library, like this one.
 
Krishna Das
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks once again.

Forgive me for asking stupid questions. But I must admit that I am ignorant about password encryption and stuff like that. Basically I am new to these topics.

I am using the Base64 classes given in apache commons-codec because I didn't want to rely on whatever that is provided as part of JDK(starting with sun.misc.*). I read somewhere(on the internet) that Sun wouln't be obligated to keep these classes(sun.misc.*) as part of JDK and could remove those classes any time.

My code looks like this


Is this sufficient or am I missing something? I also wanted to know the difference between a hash and a message digest and a digest?

Thank your for bearing with me for so long.

[ August 07, 2008: Message edited by: Krishna Das ]
[ August 07, 2008: Message edited by: Krishna Das ]
 
Krishna Das
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Me again,

Are there any chances that there could be special characters in the digest generated by SHA? I may have problems storing special characters like ', % and & in my database(oracle). Any pointers for this?

I won't be able to escape and store them as it will become a problem when comparing password(digests).

Thanks
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Digest, message digest and hash all mean the same thing in this context.

The digest returns a byte[], so there are all kinds of special characters in it. That's to be expected with binary data - you can't treat it as if it were text. This in particular is bad and won't work:

The way to construct a string from binary data is to use base-64.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!