Crypting

Hi,
my Java program allows me to store
a user with its login and password in a database, table users.
But I want to crypt the password in the table.
And when someone logs in, decrypt it to test if the passwored entered is correct.
The password is read from a JPasswordField, so it returns me a char[]

What is a good way to do this ?
Thanks.
KouKiAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CEHJCommented:
The correct method of doing this is to store it in the table such that it *cannot* be decrypted. This is done using a digest algo. The entered password is then compared with the stored value after applying the same algo
Mayank SAssociate Director - Product EngineeringCommented:
You can use some technique like SHA1 to encrypt and store the password initially:

http://www.javaalmanac.com/egs/javax.crypto/GenMac.html?l=rel

Then use the same to verify the entered password when the user logs in.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mayank SAssociate Director - Product EngineeringCommented:
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

KouKiAuthor Commented:
Thank you for the examples.
In the example, a String is used to be encoded.

String str = "This message will be digested";
byte[] utf8 = str.getBytes("UTF8");
byte[] digest = mac.doFinal(utf8);

But I have a char[] from my JPasswordField for more security,
how can i do then.
Mayank SAssociate Director - Product EngineeringCommented:
You can convert it to a String, using:

String s = new String ( theCharArray ) ;
KouKiAuthor Commented:
well then I could use the method getText of the JPasswordField ...
But it is deprecated, because the password is saved in an object and can't override it, will stay in memory till garbage collector cleans.
I should just use the deprecated method then ? or there is another way?
CEHJCommented:
I wouldn't get too hung up about that. Just make sure variable 's' is an automatic variable (local to a method)
KouKiAuthor Commented:
Ok thank you.

Can u tell me how/where I should store the key ?

can u  also explain me what a message digest is,
and shortly the difference with the DES method and what the MAC method actually is,
and the difference between sun.misc.BASE64Encoder().encodeBuffer and sun.misc.BASE64Encoder().encode
or if u have any links that explains this,

because I'll need to explain this myself.
I'm increasing some points
thank you for any help.
CEHJCommented:
>>Can u tell me how/where I should store the key ?

There isn't one - that's the point. The message should be undecryptable (by *anyone*)

>>can u  also explain me what a message digest is,

It's a means of providing a unique binary representation of another (usually larger) binary value. You can think of it like

int digest = "HELLO WORLD".hashCode();
Mayank SAssociate Director - Product EngineeringCommented:
>> then I could use the method getText of the JPasswordField

Never use any deprecated stuff.

>> will stay in memory till garbage collector cleans.

Don't worry, the JVM is secure and it will difficult for other malicious applications to get data from its memory ;-) anyway your char[] array will also be in the memory as a sequence of characters.
KouKiAuthor Commented:
>>>>Can u tell me how/where I should store the key ?
>>There isn't one - that's the point. The message should be undecryptable (by *anyone*)

Ok, there is something I don't get :(
For example the password "p" is keyed in.
It will give me a string like
7nGJhhNCC5eGj5C5PgBrJA==
that I will put in the DB
When he logs in, I use the same algorythm, and for "p" it gives me
bA8KdfWCXsqtvtArXHypOQ==
a different string ...
So how am I supposed to authenticate.

Sorry, thanks
CEHJCommented:
>>
it gives me
bA8KdfWCXsqtvtArXHypOQ==
a different string ...
>>

No - it should give you an identical string if it's set up correctly
KouKiAuthor Commented:
Something isn't set up correctly then ...      
If I execute this two times, the string digestB64 will give me a different string.

                        // Generate a key for the HMAC-MD5 keyed-hashing algorithm; see RFC 2104
              // In practice, you would save this key.
              KeyGenerator keyGen = KeyGenerator.getInstance("HmacMD5");
              SecretKey key = keyGen.generateKey();
          
              // Create a MAC object using HMAC-MD5 and initialize with key
              Mac mac = Mac.getInstance(key.getAlgorithm());
              mac.init(key);
          
              String str = "This message will be digested";
          
              // Encode the string into bytes using utf-8 and digest it
              byte[] utf8 = str.getBytes("UTF8");
              byte[] digest = mac.doFinal(utf8);
          
              String digestB64 = new sun.misc.BASE64Encoder().encode(digest);
              
              System.out.println(digestB64);
              
CEHJCommented:
You don't need to use a key:

MessageDigest md = MessageDigest.getInstance("MD5");
byte[] b = "This message will be digested".getBytes("UTF-8");
md.digest(b);
// That's your digest done
CEHJCommented:
:-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java

From novice to tech pro — start learning today.