Solved

Question about encryption technique

Posted on 2006-10-27
6
215 Views
Last Modified: 2010-05-18
Hi guys,

I'm new at using encryption technique. I need to make a program where user needs to provide user name and password but it needs to be pretty secure.
I'm using this example below from jguru.com as a starter:

code:
--------------------------------------------------------------------------------

public static void main(String[] args) throws Exception  {    
 // Create a Message Digest from a Factory method      
MessageDigest md = MessageDigest.getInstance("SHA-1");      

 // Create the message      
String orig = "And now for something completely different... the larch.";    
 byte[] msg = orig.getBytes();      

// Update the message digest with some more bytes      
// This can be performed multiple times before creating the hash      
md.update(msg);      

 // Create the digest from the message      
byte[] aMessageDigest = md.digest();      

 // Printout      System.out.println("Original: " + new String(msg));      System.out.println("Message Digest: " + new String(aMessageDigest));  }

--------------------------------------------------------------------------------

Original: And now for something completely different... the larch.
Message Digest: ♦═7→ ╚B╩b╩l

This is what I thought would happen:
1. Let's say user "CLIENT1" encrypt his password from "TEST" to ♦═7→ ╚B╩b╩l
2. ♦═7→ ╚B╩b╩l will be sent across network.
3. ♦═7→ ╚B╩b╩l will be matched with the password saved in DB which is ♦═7→ ╚B╩b╩l

Then let say a hacker acquire ♦═7→ ╚B╩b╩l in step. 2.
Then, next time, it can login to the system using "CLIENT1" and ♦═7→ ╚B╩b╩l as the password.

Isn't it that what's going to happen? since in step 3.there's no more hashing done.
Does it mean that using this algorithm a hacker can grab the passsed encrypted hash, and use that for future transactions?

Thanks
0
Comment
Question by:rnicholus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 14

Expert Comment

by:hoomanv
ID: 17821651
> and ♦═7→ ╚B╩b╩l as the password
Actually Yes
But not from the application since everything you type as password will be shadowed by the message digest so the hacker needs to code the network layer himself to pass the stolen digest to server
0
 
LVL 14

Accepted Solution

by:
hoomanv earned 300 total points
ID: 17821914
Seems you're concerned about it !
Another way is to double encrypt the - MD5 encrypted - password based on a random key sent by the server when the connection is made.
This will prevent hackers from using the same encrypted password at a later time

Use classes in javax.crypto package which let you encrypt data based on a key
http://javaalmanac.com/egs/javax.crypto/pkg.html
0
 

Author Comment

by:rnicholus
ID: 17843439
Thanks for the link! It's very useful. Sorry I just got a chance to get back to this question.

This is what I think I would do. Please let me know if you think this is not such a good idea:
1. For every clients that I have, I will assign them a key and a password in a table in database.

2. I will build a small program for client. The client will also be provided with the password and the key.
The key will be used to encrypt the password before it sent over the network.

3. And then on the server side there will be code to decrypt the encrypted password using the same key.

Do you think this would be a good idea?

Thanks again for the help.
0
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

 
LVL 14

Expert Comment

by:hoomanv
ID: 17843729
> I will assign them a key and a password in a table in database.
The client needs to be provided with the key only when the connection is made so encrypted pass will be made by using a new random key, otherwise if the key and pass are static, the encryption would be always the same, so why did you double encrypt it ?
0
 

Author Comment

by:rnicholus
ID: 17843995
I'm implementing what's described in this link:

http://javaalmanac.com/egs/javax.crypto/DesString.html

It seems that when I print the encrypted message, it is always different everytime. I'm using DES and also AES algorithm.
Is it supposed to be always the same?

Thanks
0
 
LVL 14

Expert Comment

by:hoomanv
ID: 17844077
Because of the below line, you are getting random keys
KeyGenerator.getInstance("DES").generateKey();
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java Flight Recorder and Java Mission Control together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Java Flight Recorder is a profiling and event collectio…
Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Viewers will learn about the different types of variables in Java and how to declare them. Decide the type of variable desired: Put the keyword corresponding to the type of variable in front of the variable name: Use the equal sign to assign a v…
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question