• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

File Encryption

 
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi

I am working on solaris .

My application goes like this:

I take inputs from user.These inputs include username ,password and other informations.
I am using shell scripting,to do all this.

So in this case i am storing password in clear text format.

How can i encrypt this file using shell script. And then , when i require these inputs i can decrypt the file and read the inputs and then again encrypt.

sumit



 
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Its very bad security to store passwords in the clear in a file, and its not all that good of an idea to store them in a file using encryption. For the past couple of decades, the accepted approach is to push the passwords through a one-way hash and store only the hash, not the passwords.

When the user enters a password, you hash it with the same algorithm and constants, and consider it a match when you get the same hash as you have stored.

The big win with this is that if the bad guy gets the file, they don't get all the passwords at once.

The downside is that you can never tell the user what their password is. This means that your customer support says "no, I can't give you your password, but I can give you a new one, or reset yours so that you can login, and then you change it to something that I don't know.
 
sumit mathur
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey

My main concern i need the passwords at time of running my application at various stages. I am collecting passwords related to database and username and password related to some other application ,which need to access at the time of running my application.

My main objective is that i dont want to store password in clear text.
 
Pat Farrell
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

sumit mathur wrote:My main concern i need the passwords at time of running my application at various stages. I am collecting passwords related to database and username and password related to some other application ,which need to access at the time of running my application.

My main objective is that i dont want to store password in clear text.



Fine, but your objective is not sufficient.

I suggest you look at Single Sign-on solutions.

Storing passwords is a huge security risk. Make sure that whoever is giving you the requirements understands this.
 
sumit mathur
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How single sign on will work while creating a database???

I am using oracle database.

I am collecting password related to database, then during my application installation , i am creating the database using these username and password.

How will i deal with this issue???
 
Pat Farrell
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm sorry, I don't understand what you are doing.

For the connection between your application and a RDBMS (say Oracle) you need to put the userid and password for the connection in a property file.

There is not a lot of point in encrypting it, it has to be stored somewhere. If you want, you can write a separate program to encipher the password, but then you have to have the decipher key in your code to process it, so you defeat the point.

If you are having your application log into some other application that needs a userid and password, then that is when you use a Single Sign-on approach. Otherwise, you have to go back to the same chicken and egg problem above.
 
sumit mathur
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
pat

Ya i need to have username and password in property file.

That;s why i thought of just storing password in some file and encrpt that file and only root user have permission to decrypt it.

So what could be the best approach to ahead for it???

To be frank, i have no knowledge about encrypting and decrypting the password.
 
Pat Farrell
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

sumit mathur wrote:That;s why i thought of just storing password in some file and encrpt that file and only root user have permission to decrypt it.

To be frank, i have no knowledge about encrypting and decrypting the password.



And how do you plan to make sure that only the "root user" can do this? If you rely upon Unix login/file access privs, then you are going to require that your application run as the root user. This is a very, very bad idea.


Lets start at the beginning. To encrypt some text, you need (1) an algorithm and a (2) key and the (3) text.

The Java JCE provides implementations of all the usual algorithms, pick one, say AES-128. this is (1)

You can read the cleartext (3) from a file, or have a user enter it from a keyboard, etc. So you now have (1) and (3)

The question is, where do you get the key (2)?

If you hard code the key(2) in your java code, anyone who looks at the code finds your key, and security is gone. Worse if there are multiple people with access to your code, say in a corporate SVN/CVS repository.

if you store the key (2) in a file, then anyone can look at the file and get the key, and security is gone.

So you are back to securely storing the key, which is essentially the same problem as securely storing the password. You can think of them as being exactly the same problem.

So all this security and cryptography stuff has taken a lot of time to write, document and test, can contain subtle bugs, and has not improved security.
 
sumit mathur
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Pat

Then how the things worked in corporate world...regarding security of password and security key??

 
Pat Farrell
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

sumit mathur wrote:Then how the things worked in corporate world...regarding security of password and security key??



Again, you must be more specific so we can help.

What, exactly, are you worried about? What is the use case that you are addressing?

This is a serious problem, and there are some seriously expensive solutions that can be used. But without more details, I can't address them.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic