[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 612
  • Last Modified:

Crypting

Hi,
my Java program allows me to store
a user with its login and password in a database, table users.
But I want to crypt the password in the table.
And when someone logs in, decrypt it to test if the passwored entered is correct.
The password is read from a JPasswordField, so it returns me a char[]

What is a good way to do this ?
Thanks.
0
KouKi
Asked:
KouKi
  • 7
  • 5
  • 4
2 Solutions
 
CEHJCommented:
The correct method of doing this is to store it in the table such that it *cannot* be decrypted. This is done using a digest algo. The entered password is then compared with the stored value after applying the same algo
0
 
Mayank SAssociate Director - Product EngineeringCommented:
You can use some technique like SHA1 to encrypt and store the password initially:

http://www.javaalmanac.com/egs/javax.crypto/GenMac.html?l=rel

Then use the same to verify the entered password when the user logs in.
0
 
Mayank SAssociate Director - Product EngineeringCommented:
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
KouKiAuthor Commented:
Thank you for the examples.
In the example, a String is used to be encoded.

String str = "This message will be digested";
byte[] utf8 = str.getBytes("UTF8");
byte[] digest = mac.doFinal(utf8);

But I have a char[] from my JPasswordField for more security,
how can i do then.
0
 
Mayank SAssociate Director - Product EngineeringCommented:
You can convert it to a String, using:

String s = new String ( theCharArray ) ;
0
 
KouKiAuthor Commented:
well then I could use the method getText of the JPasswordField ...
But it is deprecated, because the password is saved in an object and can't override it, will stay in memory till garbage collector cleans.
I should just use the deprecated method then ? or there is another way?
0
 
CEHJCommented:
I wouldn't get too hung up about that. Just make sure variable 's' is an automatic variable (local to a method)
0
 
KouKiAuthor Commented:
Ok thank you.

Can u tell me how/where I should store the key ?

can u  also explain me what a message digest is,
and shortly the difference with the DES method and what the MAC method actually is,
and the difference between sun.misc.BASE64Encoder().encodeBuffer and sun.misc.BASE64Encoder().encode
or if u have any links that explains this,

because I'll need to explain this myself.
I'm increasing some points
thank you for any help.
0
 
CEHJCommented:
>>Can u tell me how/where I should store the key ?

There isn't one - that's the point. The message should be undecryptable (by *anyone*)

>>can u  also explain me what a message digest is,

It's a means of providing a unique binary representation of another (usually larger) binary value. You can think of it like

int digest = "HELLO WORLD".hashCode();
0
 
Mayank SAssociate Director - Product EngineeringCommented:
>> then I could use the method getText of the JPasswordField

Never use any deprecated stuff.

>> will stay in memory till garbage collector cleans.

Don't worry, the JVM is secure and it will difficult for other malicious applications to get data from its memory ;-) anyway your char[] array will also be in the memory as a sequence of characters.
0
 
KouKiAuthor Commented:
>>>>Can u tell me how/where I should store the key ?
>>There isn't one - that's the point. The message should be undecryptable (by *anyone*)

Ok, there is something I don't get :(
For example the password "p" is keyed in.
It will give me a string like
7nGJhhNCC5eGj5C5PgBrJA==
that I will put in the DB
When he logs in, I use the same algorythm, and for "p" it gives me
bA8KdfWCXsqtvtArXHypOQ==
a different string ...
So how am I supposed to authenticate.

Sorry, thanks
0
 
CEHJCommented:
>>
it gives me
bA8KdfWCXsqtvtArXHypOQ==
a different string ...
>>

No - it should give you an identical string if it's set up correctly
0
 
KouKiAuthor Commented:
Something isn't set up correctly then ...      
If I execute this two times, the string digestB64 will give me a different string.

                        // Generate a key for the HMAC-MD5 keyed-hashing algorithm; see RFC 2104
              // In practice, you would save this key.
              KeyGenerator keyGen = KeyGenerator.getInstance("HmacMD5");
              SecretKey key = keyGen.generateKey();
          
              // Create a MAC object using HMAC-MD5 and initialize with key
              Mac mac = Mac.getInstance(key.getAlgorithm());
              mac.init(key);
          
              String str = "This message will be digested";
          
              // Encode the string into bytes using utf-8 and digest it
              byte[] utf8 = str.getBytes("UTF8");
              byte[] digest = mac.doFinal(utf8);
          
              String digestB64 = new sun.misc.BASE64Encoder().encode(digest);
              
              System.out.println(digestB64);
              
0
 
CEHJCommented:
You don't need to use a key:

MessageDigest md = MessageDigest.getInstance("MD5");
byte[] b = "This message will be digested".getBytes("UTF-8");
md.digest(b);
// That's your digest done
0
 
CEHJCommented:
:-)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now