aspose file tools*
The moose likes EJB and other Java EE Technologies and the fly likes CMP vs. BMP concerning encrypted data Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "CMP vs. BMP concerning encrypted data" Watch "CMP vs. BMP concerning encrypted data" New topic
Author

CMP vs. BMP concerning encrypted data

Dan Ludwig
Greenhorn

Joined: Jun 05, 2004
Posts: 18
Everywhere I keep reading "you should [almost] never have to use BMP with EJB 2+ [if you have a realational database]" or some version of that advice.

But I keep wondering, what if some application data is almost guaranteed to be encrypted in the persistent store, using either one- or two-way encryption? For example, MySQL's PASSWORD() function is a fairly common one-way encryption mechanism for passwords, and many other 2-way encryption algorithms can be used to cipher credit card numbers or other legally-sensitive information.

If I want an entity bean to represent objects with sensitive, more-than-likely-encrypted-in-the-persistent-store data fields, what's the best way to approach this? Use a BMP bean that harnesses the ease of using decryption methods in the actual SQL code? Or use a CMP bean wrapped with a session facade (like a DecryptorFactory of some sort) that can make sense out of the encrypted data?

What's the best way to do this and keep the ejb-jar portable across different database implementations? Is there any way to achieve one-way encryption with java? This has been bugging me for a long time. If anyone has any best practices or good ideas, please share, thanks!
Alex Sharkoff
Ranch Hand

Joined: Apr 11, 2004
Posts: 209
Dan,

You could encapsulate all required logic in your CMP EB. Eg,



As you can see in the example we decrypt the password extracted from db. Same could be done with storing the password into db (would be encrypting first and then saving into db)

Oh, yeh. In regards to one way encryption in java. Check out the following:


Hope it helps,


[ August 13, 2004: Message edited by: Alex Sharkoff ]

[ August 13, 2004: Message edited by: Alex Sharkoff ]
[ August 13, 2004: Message edited by: Alex Sharkoff ]

Alex (SCJP 1.4, SCBCD 1.3, SCWCD 1.4, SCJD 1.4)
Dan Ludwig
Greenhorn

Joined: Jun 05, 2004
Posts: 18
I found some other docs on doing the SHA and MD5 encryption using MessageDigest, and your above example works great if that's how the data is encrypted. I still think an environment entry might be necessary though, to be able to configure the encryption method at deployment time (one which would work with some kind of MessageDigestCryptionFactory) depending on the database.

However, what I'm looking for here is more of an answer to the portability issue. What if the persistent store uses an encryption algorithm other than SHA or MD5? Do I need to become a cipher expert if I want my CMP bean to work with several different database vendors, and work with existing data (that for example I, as the Bean Provider, cannot suggest encryption policies for)?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: CMP vs. BMP concerning encrypted data
 
Similar Threads
HF EJB - Coverage of non exam topics
To Nikhil Pendharkar for IBM 287
Use DAO or not? in JDO
My SCEA Part 1Study Notes
Storing a password to encrypt/decrypt sensitive data.