?
Solved

Question about encryption technique

Posted on 2006-10-27
6
Medium Priority
?
218 Views
Last Modified: 2010-05-18
Hi guys,

I'm new at using encryption technique. I need to make a program where user needs to provide user name and password but it needs to be pretty secure.
I'm using this example below from jguru.com as a starter:

code:
--------------------------------------------------------------------------------

public static void main(String[] args) throws Exception  {    
 // Create a Message Digest from a Factory method      
MessageDigest md = MessageDigest.getInstance("SHA-1");      

 // Create the message      
String orig = "And now for something completely different... the larch.";    
 byte[] msg = orig.getBytes();      

// Update the message digest with some more bytes      
// This can be performed multiple times before creating the hash      
md.update(msg);      

 // Create the digest from the message      
byte[] aMessageDigest = md.digest();      

 // Printout      System.out.println("Original: " + new String(msg));      System.out.println("Message Digest: " + new String(aMessageDigest));  }

--------------------------------------------------------------------------------

Original: And now for something completely different... the larch.
Message Digest: ♦═7→ ╚B╩b╩l

This is what I thought would happen:
1. Let's say user "CLIENT1" encrypt his password from "TEST" to ♦═7→ ╚B╩b╩l
2. ♦═7→ ╚B╩b╩l will be sent across network.
3. ♦═7→ ╚B╩b╩l will be matched with the password saved in DB which is ♦═7→ ╚B╩b╩l

Then let say a hacker acquire ♦═7→ ╚B╩b╩l in step. 2.
Then, next time, it can login to the system using "CLIENT1" and ♦═7→ ╚B╩b╩l as the password.

Isn't it that what's going to happen? since in step 3.there's no more hashing done.
Does it mean that using this algorithm a hacker can grab the passsed encrypted hash, and use that for future transactions?

Thanks
0
Comment
Question by:rnicholus
  • 4
  • 2
6 Comments
 
LVL 14

Expert Comment

by:hoomanv
ID: 17821651
> and ♦═7→ ╚B╩b╩l as the password
Actually Yes
But not from the application since everything you type as password will be shadowed by the message digest so the hacker needs to code the network layer himself to pass the stolen digest to server
0
 
LVL 14

Accepted Solution

by:
hoomanv earned 1200 total points
ID: 17821914
Seems you're concerned about it !
Another way is to double encrypt the - MD5 encrypted - password based on a random key sent by the server when the connection is made.
This will prevent hackers from using the same encrypted password at a later time

Use classes in javax.crypto package which let you encrypt data based on a key
http://javaalmanac.com/egs/javax.crypto/pkg.html
0
 

Author Comment

by:rnicholus
ID: 17843439
Thanks for the link! It's very useful. Sorry I just got a chance to get back to this question.

This is what I think I would do. Please let me know if you think this is not such a good idea:
1. For every clients that I have, I will assign them a key and a password in a table in database.

2. I will build a small program for client. The client will also be provided with the password and the key.
The key will be used to encrypt the password before it sent over the network.

3. And then on the server side there will be code to decrypt the encrypted password using the same key.

Do you think this would be a good idea?

Thanks again for the help.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:hoomanv
ID: 17843729
> I will assign them a key and a password in a table in database.
The client needs to be provided with the key only when the connection is made so encrypted pass will be made by using a new random key, otherwise if the key and pass are static, the encryption would be always the same, so why did you double encrypt it ?
0
 

Author Comment

by:rnicholus
ID: 17843995
I'm implementing what's described in this link:

http://javaalmanac.com/egs/javax.crypto/DesString.html

It seems that when I print the encrypted message, it is always different everytime. I'm using DES and also AES algorithm.
Is it supposed to be always the same?

Thanks
0
 
LVL 14

Expert Comment

by:hoomanv
ID: 17844077
Because of the below line, you are getting random keys
KeyGenerator.getInstance("DES").generateKey();
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

INTRODUCTION Working with files is a moderately common task in Java.  For most projects hard coding the file names, using parameters in configuration files, or using command-line arguments is sufficient.   However, when your application has vi…
Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
The viewer will learn how to implement Singleton Design Pattern in Java.
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
Suggested Courses
Course of the Month13 days, 14 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question