Solved

Question about encryption technique

Posted on 2006-10-27
6
209 Views
Last Modified: 2010-05-18
Hi guys,

I'm new at using encryption technique. I need to make a program where user needs to provide user name and password but it needs to be pretty secure.
I'm using this example below from jguru.com as a starter:

code:
--------------------------------------------------------------------------------

public static void main(String[] args) throws Exception  {    
 // Create a Message Digest from a Factory method      
MessageDigest md = MessageDigest.getInstance("SHA-1");      

 // Create the message      
String orig = "And now for something completely different... the larch.";    
 byte[] msg = orig.getBytes();      

// Update the message digest with some more bytes      
// This can be performed multiple times before creating the hash      
md.update(msg);      

 // Create the digest from the message      
byte[] aMessageDigest = md.digest();      

 // Printout      System.out.println("Original: " + new String(msg));      System.out.println("Message Digest: " + new String(aMessageDigest));  }

--------------------------------------------------------------------------------

Original: And now for something completely different... the larch.
Message Digest: ♦═7→ ╚B╩b╩l

This is what I thought would happen:
1. Let's say user "CLIENT1" encrypt his password from "TEST" to ♦═7→ ╚B╩b╩l
2. ♦═7→ ╚B╩b╩l will be sent across network.
3. ♦═7→ ╚B╩b╩l will be matched with the password saved in DB which is ♦═7→ ╚B╩b╩l

Then let say a hacker acquire ♦═7→ ╚B╩b╩l in step. 2.
Then, next time, it can login to the system using "CLIENT1" and ♦═7→ ╚B╩b╩l as the password.

Isn't it that what's going to happen? since in step 3.there's no more hashing done.
Does it mean that using this algorithm a hacker can grab the passsed encrypted hash, and use that for future transactions?

Thanks
0
Comment
Question by:rnicholus
  • 4
  • 2
6 Comments
 
LVL 14

Expert Comment

by:hoomanv
ID: 17821651
> and ♦═7→ ╚B╩b╩l as the password
Actually Yes
But not from the application since everything you type as password will be shadowed by the message digest so the hacker needs to code the network layer himself to pass the stolen digest to server
0
 
LVL 14

Accepted Solution

by:
hoomanv earned 300 total points
ID: 17821914
Seems you're concerned about it !
Another way is to double encrypt the - MD5 encrypted - password based on a random key sent by the server when the connection is made.
This will prevent hackers from using the same encrypted password at a later time

Use classes in javax.crypto package which let you encrypt data based on a key
http://javaalmanac.com/egs/javax.crypto/pkg.html
0
 

Author Comment

by:rnicholus
ID: 17843439
Thanks for the link! It's very useful. Sorry I just got a chance to get back to this question.

This is what I think I would do. Please let me know if you think this is not such a good idea:
1. For every clients that I have, I will assign them a key and a password in a table in database.

2. I will build a small program for client. The client will also be provided with the password and the key.
The key will be used to encrypt the password before it sent over the network.

3. And then on the server side there will be code to decrypt the encrypted password using the same key.

Do you think this would be a good idea?

Thanks again for the help.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 14

Expert Comment

by:hoomanv
ID: 17843729
> I will assign them a key and a password in a table in database.
The client needs to be provided with the key only when the connection is made so encrypted pass will be made by using a new random key, otherwise if the key and pass are static, the encryption would be always the same, so why did you double encrypt it ?
0
 

Author Comment

by:rnicholus
ID: 17843995
I'm implementing what's described in this link:

http://javaalmanac.com/egs/javax.crypto/DesString.html

It seems that when I print the encrypted message, it is always different everytime. I'm using DES and also AES algorithm.
Is it supposed to be always the same?

Thanks
0
 
LVL 14

Expert Comment

by:hoomanv
ID: 17844077
Because of the below line, you are getting random keys
KeyGenerator.getInstance("DES").generateKey();
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

By the end of 1980s, object oriented programming using languages like C++, Simula69 and ObjectPascal gained momentum. It looked like programmers finally found the perfect language. C++ successfully combined the object oriented principles of Simula w…
Introduction This article is the last of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers our test design approach and then goes through a simple test case example, how …
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
This video teaches viewers about errors in exception handling.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now