• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

IDEA encryption in java.

 
Ranch Hand
Posts: 106
Mac Mac OS X Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hey guys, i haven't found a forum for encryption in java, So i must ask for you guys, that have always helped me in java issues.

as we know, java have a Cryptography extension (JCE), and it has probably the tools I need for this.


the fact is that, I need to connect in a database, but this database changes on each costumer that uses my system, and I needed only one class to do it on every costumer.

My solution was creating a txt file named dblogin.cfg, that carry this structure:



but the fact is that I can't leave user and password information like this in the file, because that would make the security of my system to go several steps down.
So I need a (two way?) encrypting algorithm, that can store a encrypted string generated by a public key, that can only be read from a private key, that would be used from my class to read that string, growing the security of the system at all.

Would you guys help me on this "journey"?

What have I already done:
I talked to the developing manager of our system, and he thinks it is a good idea to use IDEA (got it? idea, IDEA ), but I have no notion about how to use it in java.
I've read some parts of this to have the understanding I need to do it, but I got no good results.

anyone?
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The first thought that comes to my mind is: where are you going to keep the encryption keys? You can't keep them in the server, because then the system would no more secure as if you left the config file unencrypted.

The second thought is: Why encrypt the config file at all? Are you trying to protect against external attacks, or untrustworthy insiders? If you have to face either, you likely have bigger problems than them trying to gain access to a DB.

As far as ciphers go, I'd go with a standard one like Triple-DES or AES. The http://faq.javaranch.com/java/SecurityFaq points to example code that uses these.
 
Lucas Franceschi
Ranch Hand
Posts: 106
Mac Mac OS X Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
well ulf, i dont need to encrypt the cfg file, and i also don't expect attackers to try accessing my DB, i just dont want the user to have its informations exposed like that, so I may need to encrypt only the user and password strings, to that instead of the user and password, there would be an encrypted string, that could only be decrypted with a private key I would use in the java program, i'm not trying to prevent my program for hackers and other attackers, i just dont want the user to have its informations exposed that way, any encrypting here would make the user happy by having the security feeling with the program.

untrustworthy insiders (its difficult to write untrustworthy when you're brazillian).
only the managers of the costumer company will use it, and some of they're employees, and what I thought was that, if one of this people start looking at the system directory, only roaming there, and sees that the user and password is there, it will probably take advantage of it, but if the same situation happens, and the user and pass are encrypted, it will only close the file and continue to roam, understood? i dont think anyone would start to search the system for security failures, but if anyone sees such an evident failure, this person will get inspired to try something, and that woud not be nice.

i dont think that there would be any attacker trying to access the company database, only if it is an employee that have million af dollars of bills with the company, but that would not be a brobable thing to happen....

...so?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ah, so this is a desktop application? I was assuming a server application.

I'd say if there is a notion of a user account with password, then the user should enter the password whenever she wishes to access the application. (Needless to say the password should not be written down anywhere.) You can make it easier for the user by storing the last used username somewhere in a file, and defaulting the username input field with that. That way the user only has to enter the password, not the username.
 
Lucas Franceschi
Ranch Hand
Posts: 106
Mac Mac OS X Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
it is a desktop application, it is a text-interface dataflex program that will execute this class

but I need to connect on the database, so that i'll need a user and password for the database, not for the user.

it is information that will be defined one time on the system, and will be used everytimie to connect to the database.

but that's not the question here, what I really need to know is about the encryption part, how can I read a encrypted string, what key must I have and how can I do it?
The algorithm used in the encryption is not important, also I wanted to know what algorithm you guys think I should use.

and also, I started some researches about how to use google's keyczar, anyone here have always used it?

now that i'm in this security forum, anyone else?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The standard Java API for encryption is called JCE; an introduction using the AES cipher is at http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html Just replace "AES" by "IDEA". IDEA may have different key lengths, though, but I'm sure Wikipedia can tell you which ones those are.

That doesn't make the question go away, though: now that the password is encrypted, how will the encryption key be stored?
 
Lucas Franceschi
Ranch Hand
Posts: 106
Mac Mac OS X Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
well, regarding that all i want is not to directly show the database information for the user, i'm thinking of using base64, it dont use keys, and have a simple use, anyone that wants to see the information will see, but not directly. maybe using base64 can be a good thing, thinking that the simplest solutions are sometime the best ones.
am I right?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In general, simple is good, but only if it satisfies the requirements. It may be that using base-64 does that in the scenario you describe, but from a security point of view I think it's the worst of both worlds: it gives the illusion of security while providing no actual security.
 
reply
    Bookmark Topic Watch Topic
  • New Topic