• Post Reply Bookmark Topic Watch Topic
  • New Topic

Question about text encryption/decryption  RSS feed

 
Kerry Friesen
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Greetings,

I'm writing a small Java application to manage all my online accounts. I wish to store my usernames and passwords securely, so my first thought was to encrypt the contents of the file where the data is saved.

What I don't know is where to safely store the key that will allow me to decrypt the data once I've encrypted it. Would it be safe to save the key to a serialized file on the hard drive?

Another thought was just to use a SHA-1 message digest when reading/writing the file. But would that provide enough security?

Any comments/thoughts/suggestions would be most welcome!

Thanks,
Kerry
 
Tony Morris
Ranch Hand
Posts: 1608
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Kerry Friesen:
Greetings,

I'm writing a small Java application to manage all my online accounts. I wish to store my usernames and passwords securely, so my first thought was to encrypt the contents of the file where the data is saved.

What I don't know is where to safely store the key that will allow me to decrypt the data once I've encrypted it. Would it be safe to save the key to a serialized file on the hard drive?

Another thought was just to use a SHA-1 message digest when reading/writing the file. But would that provide enough security?

Any comments/thoughts/suggestions would be most welcome!

Thanks,
Kerry


SHA-1 is a message digest (or "hash") algorithm (or "one-way function"), it is not an encryption algorithm. For storing sensitive data such as passwords, it is certainly useful, since
a) it limits the amount of time that the password is in the clear
b) the actual data is not of value, merely, whether or not it matches.
c) the source document (the password) is practically unobtainable given the hash - this is intrinsic to one-way functions.

For example, I give you my password "abc", which generates a SHA-1 of "xyz". When I create that password, you generate the SHA-1 hash and store it, and the password itself disappears - it is no longer in clear text. When I next attempt to authenticate to your system, I send my password, you generate the SHA-1 hash and assert that it matches your stored hash in order to authenticate successfully. The downside is that the password is not recoverable - if I were to lose my password, I'd require the system to generate me a new one (and it would keep the associated hash).
 
Roseanne Zhang
Ranch Hand
Posts: 1953
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tony:

You are all correct except SHA-1, MD5, etc., which were once considered one-way encryption, are no longer safe any more, since the crack algorithm is developed by a Chinese Lady Dr. Xiaoyuan Wang and her team early this year.

http://www.systemexperts.com/tutors/CryptographicHashUpdate.pdf
 
Roseanne Zhang
Ranch Hand
Posts: 1953
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This article only mentioned SHA-0, actually, high level encryptions are also cracked later...
 
Darren Horsman
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If it makes you feel better, use SHA-256 or 512. It doesn't matter if they can be cracked, what is important is how LONG it takes. The average person trying to read your passwords isn't going to wait 50 years for them to decrypt, hoping that the power doesn't go out on his pc or a component doesn't break causing him to need to start again.

Encryption isn't about stopping people reading data, it is about protecting it until it no longer matters.

Also, saving the data with the private key greatly reduces security. Since I am assuming you are saving passwords to a file because you cannot remember them, the private key protecting the files is not likely to withstand a brute force attack.

The password on the private key WILL fail before the SHA-1 hash does.
[ December 04, 2005: Message edited by: Darren Horsman ]
 
Tony Morris
Ranch Hand
Posts: 1608
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Roseanne Zhang:
Tony:

You are all correct except SHA-1, MD5, etc., which were once considered one-way encryption, are no longer safe any more, since the crack algorithm is developed by a Chinese Lady Dr. Xiaoyuan Wang and her team early this year.

http://www.systemexperts.com/tutors/CryptographicHashUpdate.pdf


It is no secret that both MD5 and SHA0 (not SHA1) collisions have been found. It seems this publication is attempting to demonstrate the effects of finding a single collision in a hash algorithm.

I don't see what makes anything not correct - are you suggesting that there exists a hash algorithm that does not have a collision? If so, it is mathematically provable otherwise.
 
Kerry Friesen
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Tony Morris:


SHA-1 is a message digest (or "hash") algorithm (or "one-way function"), it is not an encryption algorithm. For storing sensitive data such as passwords, it is certainly useful, since
a) it limits the amount of time that the password is in the clear
b) the actual data is not of value, merely, whether or not it matches.
c) the source document (the password) is practically unobtainable given the hash - this is intrinsic to one-way functions.

For example, I give you my password "abc", which generates a SHA-1 of "xyz". When I create that password, you generate the SHA-1 hash and store it, and the password itself disappears - it is no longer in clear text. When I next attempt to authenticate to your system, I send my password, you generate the SHA-1 hash and assert that it matches your stored hash in order to authenticate successfully. The downside is that the password is not recoverable - if I were to lose my password, I'd require the system to generate me a new one (and it would keep the associated hash).


Thanks for your very informative and detailed response Tony! Given your explanation, I think using the SHA-1 message digest is best suited for my situation.

Cheers,
Kerry
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!