Forums Register Login

any suggestiong for encrypting password(String)?

+Pie Number of slices to send: Send
I am working on a class, which needs a method for encryption password which is a String.
as it will be sent towards a servlet. I need to make sure the password is encrypted so that people may not know the exact password even if something bad happens during the transmittion.

What I need is just simple, simple and simple, a short method is needed.
I am thinking of multipying the string with a constant and divided it back for decryption....

Any suggestion?
Or any similar method shown on the net?

Thanks~!
+Pie Number of slices to send: Send
Hey i am new to the forum but i am using a method to encrypt and decrypt a string in java. So I can surely send it to you..
+Pie Number of slices to send: Send
Why don't you use BASE64Encoder and BASE64Decoder classes?
+Pie Number of slices to send: Send
Kunal Mittai, please don't ask people to contact you privately. I have deleted your e-mail address (I hope you don't mind, Rob, Jesper, Robert) so all discussion can be where everybody can take part. And also it will reduce the risk of spammers picking up your address.
+Pie Number of slices to send: Send
 

shivendra tripathi wrote:Why don't you use BASE64Encoder and BASE64Decoder classes?


Because that's not proper encrypting; anyone who has a Base64 decoder can decode the "encrypted" string without even needing a key. javax.crypto.Cipher is a better option. I always use it in combination with the Blowfish algorithm

Campbell Ritchie wrote:I have deleted your e-mail address (I hope you don't mind, Rob, Jesper, Robert)


I was just going to do that myself, but when I pressed reply it was already gone
+Pie Number of slices to send: Send
Or just use HTTPS.

But any trivial encryption, particularly when the output of the algorithm makes it obvious what was used, is just that: trivial, and should not be relied upon to provide anything approaching "secure".
+Pie Number of slices to send: Send
 

mak zoe wrote:I am thinking of multipying the string with a constant and divided it back for decryption....


Any hacker who seriously wants to get to the password will break anything as simple as that very quickly.
+Pie Number of slices to send: Send
use HTTPS protocol
+Pie Number of slices to send: Send
 

Rob Prime wrote: . . . I was just going to do that myself . . .

You mean I managed to do something before you?
+Pie Number of slices to send: Send
You sure did!
+Pie Number of slices to send: Send
Here is an approach that usually, but not always, works well. It is always quite secure, but the method of handling a forgotten password might make it not the best approach in some applications. Use a hash function that can not be undone, often called a trapdoor function. The server stores the hash. The client applies the same hash function to the password. If the hash matches the stored hash, the password was correct. The password was never in the clear.
When the user forgets the password the system assigns a new password and sets a bit requiring the user to change it on the next use. Secure Socket Layer protects the password in transit, and this approach protects it against bad guys that break into the server.
+Pie Number of slices to send: Send
 

Rob Prime wrote:

shivendra tripathi wrote:Why don't you use BASE64Encoder and BASE64Decoder classes?


Because that's not proper encrypting; anyone who has a Base64 decoder can decode the "encrypted" string without even needing a key. javax.crypto.Cipher is a better option. I always use it in combination with the Blowfish algorithm

.

Hey Rob,
What special using blowfish?
What's the differences and advantages over the other algorithm??
+Pie Number of slices to send: Send
Blowfish is a proven encryption algorithm that allows both encryption and decryption. That means that, unlike MD5 and other hashing algorithm, you can get the original value back if you have the right key. There are others like that (I believe AES is one) but when I needed one I found Blowfish first, and never needed anything else.
+Pie Number of slices to send: Send
And let's face it: "Blowfish" is just a *cool* name for an algorithm.
+Pie Number of slices to send: Send
 

David Newton wrote:And let's face it: "Blowfish" is just a *cool* name for an algorithm.



And that should always be the most import criterion when picking...anything.
Which is why I prefer Serpent over Blowfish and let's face it, which is why we're all Java developers, because no programming language or platform could possibly top that name.
Although I always kind of missed the letter 'X' in there, somewhere, until JavaFX anyway. The letter 'X' always instantly boosts coolness, and should be used as often as possible.
Been think about working it into my name, actually.
+Pie Number of slices to send: Send
 

Rob Prime wrote:... but when I needed one I found Blowfish first, and never needed anything else.




I mix them up... when I need one, initially I try to find a new one -- or now, because I have done many, randomly pick one of the known strong algorithms.

Why? I am paranoid. And if an algorithm gets broken, I like to mitigate the work that I need to do, to go back and fix the broken ones. And changing an algorithm, after the application has stored tons and tons of keys into a database, is not simple.

Henry
+Pie Number of slices to send: Send
as I am actually sending the encrypted password through the inputstream using the HTTPConnection.
How can I handle the byte[] using read()?

poor student with poor programming knowledge:(
+Pie Number of slices to send: Send
 

mak zoe wrote:as I am actually sending the encrypted password through the inputstream using the HTTPConnection.
How can I handle the byte[] using read()?


This is a really bad idea. You should sent Text over HTTP unless you know what you are doing.

If you insist on doing your own crypto, which I strongly recommend that you do not attempt, then you have to take the user entered String, and convert it to a byte[] because all known crypto algorithms are defined on arrays of octets, which are essentially byte[].
Then you do the crypto algoithm, which yields another array of byte values, which you need to convert to easy to read and transmit text using MIME encoding.

+Pie Number of slices to send: Send
what is MIME?
would you mind explain it in more practically?

Is there no way to read byte[] using HTTPConnection, isn't?
+Pie Number of slices to send: Send
You need to do more research. MIME is a way to encode (not encrypt) binary data as text. Google for it.

Yes, technically one can read and write binary over HTTP, but I do not recommend it to folks who don't understand a fair amount of the details. Your questions indicate that you need more research and experience before I would feel comfortable getting into details. This is not for folks just learning the basics.
+Pie Number of slices to send: Send
do you mean that I need..
first get the string from user
then do the crypto algorithm
then convert it using MIME
then sent the MIME ENCODING?
and then from the receiver side, do the way round?
+Pie Number of slices to send: Send
 

mak zoe wrote:do you mean that I need..



Close, but check what was posted up thread more carefully.

first get the string from user
then convert String to byte[] array
then do the crypto algorithm
then convert it using MIME
then sent the MIME ENCODING?
and then from the receiver side, do the way round?

Fun, right? That is why other folks upthread suggested that you use HTTPS or SSL (which are the same thing).

Worse, the point of any crypto algoithm is to take a bunch of bytes and make them look like garbage. This is what it does when it works properly. There is no way
to debug it. The only real test is to do the front process, and then do the receiving side and make sure that you get what you sent. The problem is that any errors along the way will take what you start with and make it look like binary garbage.
It is difficult to free fools from the chains they revere - Voltaire. tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com


reply
reply
This thread has been viewed 1622 times.
Similar Threads
String Validation Issues
How to encrypt a string
threading issues in JSP and Servlets
The method isEmpty() is undefined for the type String
Using JDBC to discover dbase information
Using SealedObject , Encryption & Decryption
I am glad to see some suggestiongs
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 28, 2024 09:55:54.