I'm not sure what you're asking. You said you've done RSA already. What difference does it make for the cryptography whether the password is stored in a DB or not?
Or are you asking how to store something in a DB? In that case, be aware that something encrypted is not text - it's binary. So you can't use a char or varchar field, unless you convert it to text first (using something like base-64 encoding).
Finally, the common approach to storing passwords in a database is not to encrypt them, but to hash (or digest) them. That way they can't be recovered by someone who gains access to the DB. [ July 07, 2008: Message edited by: Ulf Dittmer ]
Ping & DNS - updated with new look and Ping home screen widget
Joined: Dec 19, 2007
Thanks for your early reply. Yes, I want to store my password in database.
while retriving from the database it'll come from the decrypt mode and compare with current password. if both are equals then it will goes to the next page.
but initially I want to encrypt a string and stored in database and decrypt it.
As Ulf mentioned, the preferred approach to store the passwords in db is to store the hash (message digest) so that one cannot findout the password if there is any security breach.
Having said that, if you still want to encrypt and store, you can follow these steps.
1. Generate a Private Key and store that in a KeyStore with a password (you shouldn't generate the keypair on demand and use it encrypt. If you do, you will not be able to decrypt as the key you generate next time will be different)
2. Write a class to read the private key, encrypt and decrypt set of bytes.
4. Encrypt the password you want to store using step 2 class and convert into Base64 string (so that you can easily store in the db)
5. Store the base64 encrypted string into the db using Jdbc into a varchar column.
First off, if you're writing your own RSA algorithm you're sort of 're-inventing the wheel' The way modern password encryption is done is to rely on the databases built in method to do the encryption. Most have a command similar to password(value) that you can store in a table such as "INSERT INTO Users (username,pass) VALUES (?,password(?))". Most databases have a number of varieties of password functions for all different encryptions.
Also, decrypting a password is discouraged. You can determined whether the stored value for the password (call it x) is equal to the hashed value of the entered password, such as "SELECT 1 FROM users WHERE username = ? and pass = password(?)". In this way you can verify a user login without ever decrypting and thereby exposing the user's password. [ July 07, 2008: Message edited by: Scott Selikoff ]