Hi,
I have been doing some research on how to encrypt/decrypt data for a
J2EE application running in a
JBoss server. It seems that there is a mountain of information dealing with encrypting data to
be sent over the wire and decrypted by other applications. What I am really interested in is encrypting sensitive data to be stored by my application.
My passwords are stored using the MD5 one-way hashing algorithm. This is working fine.
I am using the Bouncy Castle Provider to store encrypted data on a database and decrypt this data when it is retrieved. I am using Password Base Encryption (PBEWithSHAAnd3KeyTripleDES) to accomplish this.
This all works great, but my problem is that I have to store a password somewhere that is accessible by my application but cannot be view by hackers. The only solution that I have seen so far is to store an encrypted password in a file on my server. When I need the password I will have code to decrypt the password.
With this solution, if a hacker gets access to the database data, the password decryption code and the file with the encrypted password he will be able to break into my sensitive data.
Does anybody have experience with storing a private password in a JBoss application and retrieving it programmatically with
java?
Thanks for any help in this area.