Cipher Passwords using JCE 1.2??

I want to store user passwords for my application in a text file. The passwords have to be stored encrypted. How can I do this? I tried it with JCE 1.2 but I don't know what to do exactly.

I want to be able to cipher a password, save the encrypted version in a textfile.
I want also to be able to check, whether a user gave a correct password. Therefor I want to read the ecrypted password and want to encrypt the password given by the user, too. Then I want to see if the two encryption are the same. Is this the right approach? Or what other possibilities are there to do a password check against a encrypted password?

Matthias

mmarschallAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yoni99Commented:
Well...
If you want to store the passwords but you are afraid someone might steel the file and use the passwords you can save only their "message digest" values.
Message Digest is working like one way hashcode - it transforms any given byte array (in any length) into a 16 or 20 bytes value (depending what algorithm you are using) wich are unique for this byte array. One can not reverse the process (extract the original byte array from the message digest value).
When a user gives you his password you calculate the message digest of the password he entered and compare it to the message digest in the file. In this way even if the file is stolen no one will be able to use it... he will only have the message digest values, not the actual passwords needed.
There are ways to make it more secure, but I suggest you start with this one and see how it works.
You don't need the JCE for calculating message digests. This is a small example how to use it:

the import is
import java.security.MessageDigest;

and the code is
    String password="password";
    byte[] digest=null;
    try {
      MessageDigest sha=MessageDigest.getInstance("SHA");
      digest=sha.digest(password.getBytes());

    } catch (NoSuchAlgorithmException nsae) {
      System.out.println("SecurityDeployer <1> (NoSuchAlgorithmException): " + nsae);
    }

You only save the digest value on file !!!
0
yoni99Commented:
Did it help ???
0
mmarschallAuthor Commented:
Thanks for the answer. I hope to have time to try it this week. Please give me some time. Thanks!
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

yoni99Commented:
Feel free to ask what ever you need.
0
mmarschallAuthor Commented:
Thanks a lot. I really appreciate your help very much. I only have to find some time...
0
mmarschallAuthor Commented:
I added a System.out.println(digest) to your code. Everytime I run the program, the digest is different. How will this work with storing the digest in a file if the calulated digest for one and the same string is different everytime I call the program?
0
mmarschallAuthor Commented:
I tried it with storing the digest in a file. This is the code:

import java.security.MessageDigest;
import java.io.*;

public class SavePassword {
      public static void
      main(String[] argv)      {
            try      {
                  MessageDigest sha = MessageDigest.getInstance("SHA");
                  byte[] digest = sha.digest(argv[0].getBytes());
                  System.out.println("The digest: '"+digest+"'");
                  PrintWriter p = new PrintWriter(new FileWriter("passwd.txt"));
                  p.print(digest);
                  p.close();
            } catch (Exception e) {
                  System.err.println(e.getClass().getName() + ": " + e.getMessage());
            }
      }
}

The validating class is:

import java.security.MessageDigest;
import java.io.*;

public class ValidatePassword {
      public static void
      main(String[] argv)      {
            try      {
                  MessageDigest sha = MessageDigest.getInstance("SHA");
                  byte[] digest = sha.digest(argv[0].getBytes());
                  System.out.println("The digest: '"+digest+"'");
                  FileReader f = new FileReader("passwd.txt");
                  String storedDigest = "";
                  int num = 0;
                  char[] chars = new char[100];
                  while (num != -1) {
                        num = f.read(chars);
                  }
                  storedDigest = new String (chars);
                  System.out.println("storedDigest: '"+storedDigest+"'");
                  if (storedDigest.equals(digest)) {
                        System.out.println("VALID");
                  } else {
                        System.out.println("NOT VALID");
                  }                  
            } catch (Exception e) {
                  System.err.println(e.getClass().getName() + ": " + e.getMessage());
            }
      }
}

But it always says NOT VALID. See my comment above.

What to do?
0
mmarschallAuthor Commented:
Adjusted points to 100
0
mmarschallAuthor Commented:
Adjusted points to 125
0
mmarschallAuthor Commented:
I reject this in hope for help with the previously posted code. It doesn't work the way I implemented it according to your answer.
I hope you can help me!
0
yoni99Commented:
The digest byte array contains bytes, not ascii chars. When you print it you get something that looks like [B@65819ef5, this is not the actual value, it is the object representation. If you want to see the bytes and check they are consistent with the password you should print the bytes in a loop:

      for(int i=0; i<digest.length; i++) {
        System.out.println("digest["+i+"]: " + digest[i]);
      }

Also, you should save it to file not using the PrintWriter that converts the bytes into chars, make sure you keep the values unchanged.

I don't have the time right now, but if you can wait I think I can give you a working example in a day.
If you can't wait you are welcome to make the appropriate changes.
0
mmarschallAuthor Commented:
Adjusted points to 150
0
mmarschallAuthor Commented:
It works now using a FileOutputStream and a FileInputStream. Thanks.
My last problem is how to store now usernames and passwords in the same file and to parse the byte[]s I get. I planned to use a properties file for storing usernames and passwords. But this should not be possible because of the conversions made. How to do this?
0
yoni99Commented:
I think the easiest way (but not the best...) would be using the ObjectOutputStream and ObjectInputStream  classes.

The java help shows this example:

FileOutputStream ostream = new FileOutputStream("t.tmp");
ObjectOutputStream p = new ObjectOutputStream(ostream);

p.writeObject("Today");
p.writeObject(new Date());

p.flush();
ostream.close();

For efficiency you can use Hashtable - you can store the user name as key and the password byte[] as value (byte[] is an Object). The hashtable can be saved to file using ObjectOutputStream and later read from ObjectInputStream. You need to read or write it as an Object and cast it to Hashtable (when reading).
Good Luck.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mmarschallAuthor Commented:
Thanks for answering my question to the last tiny detail. You really helped me a lot. Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java

From novice to tech pro — start learning today.