Solved

Question about encryption technique

Posted on 2006-10-27
6
211 Views
Last Modified: 2010-05-18
Hi guys,

I'm new at using encryption technique. I need to make a program where user needs to provide user name and password but it needs to be pretty secure.
I'm using this example below from jguru.com as a starter:

code:
--------------------------------------------------------------------------------

public static void main(String[] args) throws Exception  {    
 // Create a Message Digest from a Factory method      
MessageDigest md = MessageDigest.getInstance("SHA-1");      

 // Create the message      
String orig = "And now for something completely different... the larch.";    
 byte[] msg = orig.getBytes();      

// Update the message digest with some more bytes      
// This can be performed multiple times before creating the hash      
md.update(msg);      

 // Create the digest from the message      
byte[] aMessageDigest = md.digest();      

 // Printout      System.out.println("Original: " + new String(msg));      System.out.println("Message Digest: " + new String(aMessageDigest));  }

--------------------------------------------------------------------------------

Original: And now for something completely different... the larch.
Message Digest: ♦═7→ ╚B╩b╩l

This is what I thought would happen:
1. Let's say user "CLIENT1" encrypt his password from "TEST" to ♦═7→ ╚B╩b╩l
2. ♦═7→ ╚B╩b╩l will be sent across network.
3. ♦═7→ ╚B╩b╩l will be matched with the password saved in DB which is ♦═7→ ╚B╩b╩l

Then let say a hacker acquire ♦═7→ ╚B╩b╩l in step. 2.
Then, next time, it can login to the system using "CLIENT1" and ♦═7→ ╚B╩b╩l as the password.

Isn't it that what's going to happen? since in step 3.there's no more hashing done.
Does it mean that using this algorithm a hacker can grab the passsed encrypted hash, and use that for future transactions?

Thanks
0
Comment
Question by:rnicholus
  • 4
  • 2
6 Comments
 
LVL 14

Expert Comment

by:hoomanv
ID: 17821651
> and ♦═7→ ╚B╩b╩l as the password
Actually Yes
But not from the application since everything you type as password will be shadowed by the message digest so the hacker needs to code the network layer himself to pass the stolen digest to server
0
 
LVL 14

Accepted Solution

by:
hoomanv earned 300 total points
ID: 17821914
Seems you're concerned about it !
Another way is to double encrypt the - MD5 encrypted - password based on a random key sent by the server when the connection is made.
This will prevent hackers from using the same encrypted password at a later time

Use classes in javax.crypto package which let you encrypt data based on a key
http://javaalmanac.com/egs/javax.crypto/pkg.html
0
 

Author Comment

by:rnicholus
ID: 17843439
Thanks for the link! It's very useful. Sorry I just got a chance to get back to this question.

This is what I think I would do. Please let me know if you think this is not such a good idea:
1. For every clients that I have, I will assign them a key and a password in a table in database.

2. I will build a small program for client. The client will also be provided with the password and the key.
The key will be used to encrypt the password before it sent over the network.

3. And then on the server side there will be code to decrypt the encrypted password using the same key.

Do you think this would be a good idea?

Thanks again for the help.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 14

Expert Comment

by:hoomanv
ID: 17843729
> I will assign them a key and a password in a table in database.
The client needs to be provided with the key only when the connection is made so encrypted pass will be made by using a new random key, otherwise if the key and pass are static, the encryption would be always the same, so why did you double encrypt it ?
0
 

Author Comment

by:rnicholus
ID: 17843995
I'm implementing what's described in this link:

http://javaalmanac.com/egs/javax.crypto/DesString.html

It seems that when I print the encrypted message, it is always different everytime. I'm using DES and also AES algorithm.
Is it supposed to be always the same?

Thanks
0
 
LVL 14

Expert Comment

by:hoomanv
ID: 17844077
Because of the below line, you are getting random keys
KeyGenerator.getInstance("DES").generateKey();
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
java 8 lambda expresssions exception handling 3 91
object oriented programming comparison 5 72
Way to decrease size of apk file 9 71
How do I remove an object from a 3 27
Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Introduction This article is the first of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article explains our test automation goals. Then rationale is given for the tools we use to a…
Viewers learn about the “while” loop and how to utilize it correctly in Java. Additionally, viewers begin exploring how to include conditional statements within a while loop and avoid an endless loop. Define While Loop: Basic Example: Explanatio…
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question