encrypt/decrypt with sunjce....help reqd ! Thanks

Hi
I am trying to use JCE package for encrypt/decrypt a password. Can I encrypt the password obtained from the user and store it in the database(in the encrypted form) and then later at anypoint in time when he signs in, can I decrypt the encrypted password stored in the db and then validate? I am getting little confused with how the encrypt/decrypt might work in different java objects at different time given that a key is generated while encrypting and doesnt the same key is required to decrypt?
I did go thru the sun's api ref and sample but to what I see all sample code does encryption and decryption with the same key and in the same class. This may not really be the actual requirement. When the users sign up, typically, they enter all the information including password and a profile is created by storing all the data in the db(this is typically in one object). And...later when they try to sign in, we get the userid and password from the db. We do not want anyone to have a crack at these passwords stored in db and so when we retrieve them back, we will have to validate and let the user in.
Moreover, I tried a sample code but it throws a "java.security.NoSuchAlgorithmException: Algorithm DES not available" which is baffling. I looked a the sun documentation and they say that DES is supported by the default provider(ie sunjce).Am I missing anything here?
KeyGenerator KG = KeyGenerator.getInstance("DES");
Thanks for all the help
Thanks
Raj

This probably isn't going to help because I don't know much about security myself, but:
why don't you store the passwords encrypted in the database?
That way you don't ever have to worry about hackers getting hold of them, you don't have to decrypt the encrypted password from the user, etc.

if you are going to work with Cryptography then I strongly recommend that you get a copy of this book, Java Cryptography
You must use the same key to encrypt the information as you do to decrypt it. You don't create a new key each time. You create one key and store it somewhere secure on your server.
Your KeyGenerator should work. Did you import sun.misc.* in your program?

Unfortunately I don't have time right now for a detailed reply, but here goes:-

Regarding the NoSuchAlgorithmException, did you install the SunJCE provider as per the documentation? (i.e. lobbed the jars in jre/lib/ext and updated jre/lib/security/java.security).

For optimal security, do not store passwords. Rather, you'd store a secure hash (e.g. MD5 or SHA) of the password. To verify the password, simply calculate the hash of the password typed and compare that with the hash stored in the database. For better security, salt the password (meaning: apply some randomisation e.g. by appending a few random bytes) and store the salt as well. The advantage of this approach is that if the database is compromised the passwords are still (relatively) safe. The disadvantage is that you cannot e-mail people their passwords if they forgot it (but you can give them a new one).

If you want to use encryption as opposed to hashing, you will have to use the same secret key for encryption and decryption. Converting keys can be a bit hard though.

If you can focus your question a bit more I might be able to offer some mroe specific help.
Good luck
- Peter (author of the security chapters in Beginning Java Networking)
[ February 04, 2002: Message edited by: Peter den Haan ]

Thank you very much Adam,Thomas and Peter.All of your answers were good leads.
I appreciate your help. Meanwhile, I've used password-based encryption technique of JCE1.2.1
with salt and iteration.The alogrithm by default with 'Sun' is 'PBEWitMD5AndDES'. This
provide password protection to retrieve any stored information(both storage and retreival
should use the same salt and iteration).So I stored a 'dummy' string providing the password
salt and iteration. I decided to validate the returning user by taking in the password and
decrypting the 'dummy' string and if 'dummy' is returned the password provided is the correct
one, else its not.
Though this serves my pupose, I wud like to know if this is the best way to do. I opted this
just to stay away from storing keys and getting into bigger loop. But if this is not a good
password protection methodology, I may switch back to storing keys.
But with this method, I can only store a char array in the db and not as a string cos, due
to the nature of strings(reason:Immutable,I guess) the conversion of char array to string
back and forth causes failure in decryption.
Peter, My specific questions:
1. How strong can the encrytion be in this method.(though I may increase salt and iteration)
2. Apart from Sun are there any other algorithm providing-vendors for password-based encrytion?
3. If this method is fine what is the best way to store a char array in db.A blob or a lob?
4. If not, which method you might suggest to acheive this in a better way?
5. Difficulties in storing keys if I opt to go with public and private key pairs.
6. Any good resource apart from sun site for such of these topics.
My list of questions may be long but I will be happy with whatever answers you may have.
I paste here the code that I was explaining above which makes it easier(hopefully) to
know what I was talking about.
Though I could have made one single call to compute the key, I have them seperate for
encrytion and decrytion cos it was just a trial run and I did not make any design decisions.
class NewerEncrypt {
byte[] salt = {(byte)0xaa,(byte)0xbb,(byte)0xcc,(byte)0xdd,
(byte)0x22,(byte)0x44,(byte)0xab,(byte)0x12 };
int iterations = 10;
byte[] ciphertext;
String convertedct;

public static void main(String args[]) {
NewerEncrypt ne = new NewerEncrypt();
char[] cArray = new char[args[0].length()];
args[0].getChars(0,args[0].length(),cArray,0);
char[] cArray1 = new char[args[1].length()];
args[1].getChars(0,args[1].length(),cArray1,0);
ne.encryptPassword(cArray);
ne.decryptPassword(cArray1);
//System.out.println("Encrypt/Decrypt calls complete");
}
String cipherName = "PBEWithMD5AndDES";

public void encryptPassword(char[] cArray) {
int mode = Cipher.ENCRYPT_MODE;
try{
// Compute the key
PBEParameterSpec pbeParamSpec=new PBEParameterSpec(salt, iterations);
PBEKeySpec pbeKeySpec = new PBEKeySpec(cArray);
SecretKeyFactory keyFac = SecretKeyFactory.getInstance(cipherName);
SecretKey key = keyFac.generateSecret(pbeKeySpec);
// Construct the cipher
Cipher descipher = Cipher.getInstance(cipherName);
descipher.init(mode, key, pbeParamSpec);
byte[] bArray = "dummy".getBytes();
ciphertext = descipher.doFinal(bArray);
convertedct = new String(ciphertext);
//System.out.println("Done with encryption, the obtained string is "+
// convertedct);
}
catch (Exception e) {
System.out.println("Caught exception: " + e);
}
}
public void decryptPassword(char[] cArray ){
int mode = Cipher.DECRYPT_MODE;
String afterdecrypt = "";
try{
// Compute the key
PBEParameterSpec pbeParamSpec=new PBEParameterSpec(salt, iterations);
PBEKeySpec pbeKeySpec = new PBEKeySpec(cArray);
SecretKeyFactory keyFac = SecretKeyFactory.getInstance(cipherName);
SecretKey key = keyFac.generateSecret(pbeKeySpec);
// Construct the cipher
Cipher descipher = Cipher.getInstance(cipherName);
descipher.init(mode, key, pbeParamSpec);
byte[] newciphertext = descipher.doFinal(ciphertext);
afterdecrypt = new String(newciphertext);
//System.out.println("Done with decryption, the obtained string is "+
// afterdecrypt);
if(afterdecrypt.equals("dummy") || (afterdecrypt == "dummy")){
System.out.println("decryption successfull !");
}
else{
System.out.println("decryption failure.Passwords after decryption"
+" Does not match with the one before "+
" encryption");
}
}
catch (Exception e) {
if(!afterdecrypt.equalsIgnoreCase("dummy")){
System.out.println("decryption failure.Wrong password !");
}
else{
System.out.println("Caught exception: " + e);
}
}
}
}
Thanks once again
Raj