mmarschall
asked on
Cipher Passwords using JCE 1.2??
I want to store user passwords for my application in a text file. The passwords have to be stored encrypted. How can I do this? I tried it with JCE 1.2 but I don't know what to do exactly.
I want to be able to cipher a password, save the encrypted version in a textfile.
I want also to be able to check, whether a user gave a correct password. Therefor I want to read the ecrypted password and want to encrypt the password given by the user, too. Then I want to see if the two encryption are the same. Is this the right approach? Or what other possibilities are there to do a password check against a encrypted password?
Matthias
I want to be able to cipher a password, save the encrypted version in a textfile.
I want also to be able to check, whether a user gave a correct password. Therefor I want to read the ecrypted password and want to encrypt the password given by the user, too. Then I want to see if the two encryption are the same. Is this the right approach? Or what other possibilities are there to do a password check against a encrypted password?
Matthias
Did it help ???
ASKER
Thanks for the answer. I hope to have time to try it this week. Please give me some time. Thanks!
Feel free to ask what ever you need.
ASKER
Thanks a lot. I really appreciate your help very much. I only have to find some time...
ASKER
I added a System.out.println(digest)
ASKER
I tried it with storing the digest in a file. This is the code:
import java.security.MessageDiges
import java.io.*;
public class SavePassword {
public static void
main(String[] argv) {
try {
MessageDigest sha = MessageDigest.getInstance(
byte[] digest = sha.digest(argv[0].getByte
System.out.println("The digest: '"+digest+"'");
PrintWriter p = new PrintWriter(new FileWriter("passwd.txt"));
p.print(digest);
p.close();
} catch (Exception e) {
System.err.println(e.getCl
}
}
}
The validating class is:
import java.security.MessageDiges
import java.io.*;
public class ValidatePassword {
public static void
main(String[] argv) {
try {
MessageDigest sha = MessageDigest.getInstance(
byte[] digest = sha.digest(argv[0].getByte
System.out.println("The digest: '"+digest+"'");
FileReader f = new FileReader("passwd.txt");
String storedDigest = "";
int num = 0;
char[] chars = new char[100];
while (num != -1) {
num = f.read(chars);
}
storedDigest = new String (chars);
System.out.println("stored
if (storedDigest.equals(diges
System.out.println("VALID"
} else {
System.out.println("NOT VALID");
}
} catch (Exception e) {
System.err.println(e.getCl
}
}
}
But it always says NOT VALID. See my comment above.
What to do?
import java.security.MessageDiges
import java.io.*;
public class SavePassword {
public static void
main(String[] argv) {
try {
MessageDigest sha = MessageDigest.getInstance(
byte[] digest = sha.digest(argv[0].getByte
System.out.println("The digest: '"+digest+"'");
PrintWriter p = new PrintWriter(new FileWriter("passwd.txt"));
p.print(digest);
p.close();
} catch (Exception e) {
System.err.println(e.getCl
}
}
}
The validating class is:
import java.security.MessageDiges
import java.io.*;
public class ValidatePassword {
public static void
main(String[] argv) {
try {
MessageDigest sha = MessageDigest.getInstance(
byte[] digest = sha.digest(argv[0].getByte
System.out.println("The digest: '"+digest+"'");
FileReader f = new FileReader("passwd.txt");
String storedDigest = "";
int num = 0;
char[] chars = new char[100];
while (num != -1) {
num = f.read(chars);
}
storedDigest = new String (chars);
System.out.println("stored
if (storedDigest.equals(diges
System.out.println("VALID"
} else {
System.out.println("NOT VALID");
}
} catch (Exception e) {
System.err.println(e.getCl
}
}
}
But it always says NOT VALID. See my comment above.
What to do?
ASKER
Adjusted points to 100
ASKER
Adjusted points to 125
ASKER
I reject this in hope for help with the previously posted code. It doesn't work the way I implemented it according to your answer.
I hope you can help me!
I hope you can help me!
The digest byte array contains bytes, not ascii chars. When you print it you get something that looks like [B@65819ef5, this is not the actual value, it is the object representation. If you want to see the bytes and check they are consistent with the password you should print the bytes in a loop:
for(int i=0; i<digest.length; i++) {
System.out.println("digest
}
Also, you should save it to file not using the PrintWriter that converts the bytes into chars, make sure you keep the values unchanged.
I don't have the time right now, but if you can wait I think I can give you a working example in a day.
If you can't wait you are welcome to make the appropriate changes.
for(int i=0; i<digest.length; i++) {
System.out.println("digest
}
Also, you should save it to file not using the PrintWriter that converts the bytes into chars, make sure you keep the values unchanged.
I don't have the time right now, but if you can wait I think I can give you a working example in a day.
If you can't wait you are welcome to make the appropriate changes.
ASKER
Adjusted points to 150
ASKER
It works now using a FileOutputStream and a FileInputStream. Thanks.
My last problem is how to store now usernames and passwords in the same file and to parse the byte[]s I get. I planned to use a properties file for storing usernames and passwords. But this should not be possible because of the conversions made. How to do this?
My last problem is how to store now usernames and passwords in the same file and to parse the byte[]s I get. I planned to use a properties file for storing usernames and passwords. But this should not be possible because of the conversions made. How to do this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for answering my question to the last tiny detail. You really helped me a lot. Thanks.
If you want to store the passwords but you are afraid someone might steel the file and use the passwords you can save only their "message digest" values.
Message Digest is working like one way hashcode - it transforms any given byte array (in any length) into a 16 or 20 bytes value (depending what algorithm you are using) wich are unique for this byte array. One can not reverse the process (extract the original byte array from the message digest value).
When a user gives you his password you calculate the message digest of the password he entered and compare it to the message digest in the file. In this way even if the file is stolen no one will be able to use it... he will only have the message digest values, not the actual passwords needed.
There are ways to make it more secure, but I suggest you start with this one and see how it works.
You don't need the JCE for calculating message digests. This is a small example how to use it:
the import is
import java.security.MessageDiges
and the code is
String password="password";
byte[] digest=null;
try {
MessageDigest sha=MessageDigest.getInsta
digest=sha.digest(password
} catch (NoSuchAlgorithmException nsae) {
System.out.println("Securi
}
You only save the digest value on file !!!