Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

any suggestiong for encrypting password(String)?

 
mak zoe
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am working on a class, which needs a method for encryption password which is a String.
as it will be sent towards a servlet. I need to make sure the password is encrypted so that people may not know the exact password even if something bad happens during the transmittion.

What I need is just simple, simple and simple, a short method is needed.
I am thinking of multipying the string with a constant and divided it back for decryption....

Any suggestion?
Or any similar method shown on the net?

Thanks~!
 
Kunal Mittal
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey i am new to the forum but i am using a method to encrypt and decrypt a string in java. So I can surely send it to you..
 
shivendra tripathi
Ranch Hand
Posts: 263
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why don't you use BASE64Encoder and BASE64Decoder classes?
 
Campbell Ritchie
Sheriff
Pie
Posts: 49433
62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kunal Mittai, please don't ask people to contact you privately. I have deleted your e-mail address (I hope you don't mind, Rob, Jesper, Robert) so all discussion can be where everybody can take part. And also it will reduce the risk of spammers picking up your address.
 
Rob Spoor
Sheriff
Pie
Posts: 20550
57
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
shivendra tripathi wrote:Why don't you use BASE64Encoder and BASE64Decoder classes?

Because that's not proper encrypting; anyone who has a Base64 decoder can decode the "encrypted" string without even needing a key. javax.crypto.Cipher is a better option. I always use it in combination with the Blowfish algorithm

Campbell Ritchie wrote:I have deleted your e-mail address (I hope you don't mind, Rob, Jesper, Robert)

I was just going to do that myself, but when I pressed reply it was already gone
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Or just use HTTPS.

But any trivial encryption, particularly when the output of the algorithm makes it obvious what was used, is just that: trivial, and should not be relied upon to provide anything approaching "secure".
 
Jesper de Jong
Java Cowboy
Saloon Keeper
Pie
Posts: 15369
40
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
mak zoe wrote:I am thinking of multipying the string with a constant and divided it back for decryption....

Any hacker who seriously wants to get to the password will break anything as simple as that very quickly.
 
Manish Singh
Ranch Hand
Posts: 160
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
use HTTPS protocol
 
Campbell Ritchie
Sheriff
Pie
Posts: 49433
62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rob Prime wrote: . . . I was just going to do that myself . . .
You mean I managed to do something before you?
 
Rob Spoor
Sheriff
Pie
Posts: 20550
57
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You sure did!
 
Charles Bradley
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here is an approach that usually, but not always, works well. It is always quite secure, but the method of handling a forgotten password might make it not the best approach in some applications. Use a hash function that can not be undone, often called a trapdoor function. The server stores the hash. The client applies the same hash function to the password. If the hash matches the stored hash, the password was correct. The password was never in the clear.
When the user forgets the password the system assigns a new password and sets a bit requiring the user to change it on the next use. Secure Socket Layer protects the password in transit, and this approach protects it against bad guys that break into the server.
 
mak zoe
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rob Prime wrote:
shivendra tripathi wrote:Why don't you use BASE64Encoder and BASE64Decoder classes?

Because that's not proper encrypting; anyone who has a Base64 decoder can decode the "encrypted" string without even needing a key. javax.crypto.Cipher is a better option. I always use it in combination with the Blowfish algorithm
.

Hey Rob,
What special using blowfish?
What's the differences and advantages over the other algorithm??
 
Rob Spoor
Sheriff
Pie
Posts: 20550
57
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Blowfish is a proven encryption algorithm that allows both encryption and decryption. That means that, unlike MD5 and other hashing algorithm, you can get the original value back if you have the right key. There are others like that (I believe AES is one) but when I needed one I found Blowfish first, and never needed anything else.
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And let's face it: "Blowfish" is just a *cool* name for an algorithm.
 
Jelle Klap
Bartender
Posts: 1952
7
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
David Newton wrote:And let's face it: "Blowfish" is just a *cool* name for an algorithm.


And that should always be the most import criterion when picking...anything.
Which is why I prefer Serpent over Blowfish and let's face it, which is why we're all Java developers, because no programming language or platform could possibly top that name.
Although I always kind of missed the letter 'X' in there, somewhere, until JavaFX anyway. The letter 'X' always instantly boosts coolness, and should be used as often as possible.
Been think about working it into my name, actually.
 
Henry Wong
author
Marshal
Pie
Posts: 21212
81
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rob Prime wrote:... but when I needed one I found Blowfish first, and never needed anything else.



I mix them up... when I need one, initially I try to find a new one -- or now, because I have done many, randomly pick one of the known strong algorithms.

Why? I am paranoid. And if an algorithm gets broken, I like to mitigate the work that I need to do, to go back and fix the broken ones. And changing an algorithm, after the application has stored tons and tons of keys into a database, is not simple.

Henry
 
mak zoe
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
as I am actually sending the encrypted password through the inputstream using the HTTPConnection.
How can I handle the byte[] using read()?

poor student with poor programming knowledge:(
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
mak zoe wrote:as I am actually sending the encrypted password through the inputstream using the HTTPConnection.
How can I handle the byte[] using read()?

This is a really bad idea. You should sent Text over HTTP unless you know what you are doing.

If you insist on doing your own crypto, which I strongly recommend that you do not attempt, then you have to take the user entered String, and convert it to a byte[] because all known crypto algorithms are defined on arrays of octets, which are essentially byte[].
Then you do the crypto algoithm, which yields another array of byte values, which you need to convert to easy to read and transmit text using MIME encoding.

 
mak zoe
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
what is MIME?
would you mind explain it in more practically?

Is there no way to read byte[] using HTTPConnection, isn't?
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You need to do more research. MIME is a way to encode (not encrypt) binary data as text. Google for it.

Yes, technically one can read and write binary over HTTP, but I do not recommend it to folks who don't understand a fair amount of the details. Your questions indicate that you need more research and experience before I would feel comfortable getting into details. This is not for folks just learning the basics.
 
mak zoe
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
do you mean that I need..
first get the string from user
then do the crypto algorithm
then convert it using MIME
then sent the MIME ENCODING?
and then from the receiver side, do the way round?
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
mak zoe wrote:do you mean that I need..


Close, but check what was posted up thread more carefully.

first get the string from user
then convert String to byte[] array
then do the crypto algorithm
then convert it using MIME
then sent the MIME ENCODING?
and then from the receiver side, do the way round?

Fun, right? That is why other folks upthread suggested that you use HTTPS or SSL (which are the same thing).

Worse, the point of any crypto algoithm is to take a bunch of bytes and make them look like garbage. This is what it does when it works properly. There is no way
to debug it. The only real test is to do the front process, and then do the receiving side and make sure that you get what you sent. The problem is that any errors along the way will take what you start with and make it look like binary garbage.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic