wood burning stoves 2.0*
The moose likes Java in General and the fly likes encrypt/decrypt with sunjce....help reqd ! Thanks Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "encrypt/decrypt with sunjce....help reqd ! Thanks" Watch "encrypt/decrypt with sunjce....help reqd ! Thanks" New topic
Author

encrypt/decrypt with sunjce....help reqd ! Thanks

raj sekhar
Ranch Hand

Joined: Oct 16, 2001
Posts: 117
Hi
I am trying to use JCE package for encrypt/decrypt a password. Can I encrypt the password obtained from the user and store it in the database(in the encrypted form) and then later at anypoint in time when he signs in, can I decrypt the encrypted password stored in the db and then validate? I am getting little confused with how the encrypt/decrypt might work in different java objects at different time given that a key is generated while encrypting and doesnt the same key is required to decrypt?
I did go thru the sun's api ref and sample but to what I see all sample code does encryption and decryption with the same key and in the same class. This may not really be the actual requirement. When the users sign up, typically, they enter all the information including password and a profile is created by storing all the data in the db(this is typically in one object). And...later when they try to sign in, we get the userid and password from the db. We do not want anyone to have a crack at these passwords stored in db and so when we retrieve them back, we will have to validate and let the user in.
Moreover, I tried a sample code but it throws a "java.security.NoSuchAlgorithmException: Algorithm DES not available" which is baffling. I looked a the sun documentation and they say that DES is supported by the default provider(ie sunjce).Am I missing anything here?
KeyGenerator KG = KeyGenerator.getInstance("DES");
Thanks for all the help
Thanks
Raj
Adam Hardy
Ranch Hand

Joined: Oct 09, 2001
Posts: 565
This probably isn't going to help because I don't know much about security myself, but:
why don't you store the passwords encrypted in the database?
That way you don't ever have to worry about hackers getting hold of them, you don't have to decrypt the encrypted password from the user, etc.


I have seen things you people would not believe, attack ships on fire off the shoulder of Orion, c-beams sparkling in the dark near the Tennhauser Gate. All these moments will be lost in time, like tears in the rain.
Thomas Paul
mister krabs
Ranch Hand

Joined: May 05, 2000
Posts: 13974
if you are going to work with Cryptography then I strongly recommend that you get a copy of this book, Java Cryptography
You must use the same key to encrypt the information as you do to decrypt it. You don't create a new key each time. You create one key and store it somewhere secure on your server.
Your KeyGenerator should work. Did you import sun.misc.* in your program?


Associate Instructor - Hofstra University
Amazon Top 750 reviewer - Blog - Unresolved References - Book Review Blog
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
Unfortunately I don't have time right now for a detailed reply, but here goes:-
  • Regarding the NoSuchAlgorithmException, did you install the SunJCE provider as per the documentation? (i.e. lobbed the jars in jre/lib/ext and updated jre/lib/security/java.security).
  • For optimal security, do not store passwords. Rather, you'd store a secure hash (e.g. MD5 or SHA) of the password. To verify the password, simply calculate the hash of the password typed and compare that with the hash stored in the database. For better security, salt the password (meaning: apply some randomisation e.g. by appending a few random bytes) and store the salt as well. The advantage of this approach is that if the database is compromised the passwords are still (relatively) safe. The disadvantage is that you cannot e-mail people their passwords if they forgot it (but you can give them a new one).
  • If you want to use encryption as opposed to hashing, you will have to use the same secret key for encryption and decryption. Converting keys can be a bit hard though.
  • If you can focus your question a bit more I might be able to offer some mroe specific help.
    Good luck
    - Peter (author of the security chapters in Beginning Java Networking)
    [ February 04, 2002: Message edited by: Peter den Haan ]
    raj sekhar
    Ranch Hand

    Joined: Oct 16, 2001
    Posts: 117
    Thank you very much Adam,Thomas and Peter.All of your answers were good leads.
    I appreciate your help. Meanwhile, I've used password-based encryption technique of JCE1.2.1
    with salt and iteration.The alogrithm by default with 'Sun' is 'PBEWitMD5AndDES'. This
    provide password protection to retrieve any stored information(both storage and retreival
    should use the same salt and iteration).So I stored a 'dummy' string providing the password
    salt and iteration. I decided to validate the returning user by taking in the password and
    decrypting the 'dummy' string and if 'dummy' is returned the password provided is the correct
    one, else its not.
    Though this serves my pupose, I wud like to know if this is the best way to do. I opted this
    just to stay away from storing keys and getting into bigger loop. But if this is not a good
    password protection methodology, I may switch back to storing keys.
    But with this method, I can only store a char array in the db and not as a string cos, due
    to the nature of strings(reason:Immutable,I guess) the conversion of char array to string
    back and forth causes failure in decryption.
    Peter, My specific questions:
    1. How strong can the encrytion be in this method.(though I may increase salt and iteration)
    2. Apart from Sun are there any other algorithm providing-vendors for password-based encrytion?
    3. If this method is fine what is the best way to store a char array in db.A blob or a lob?
    4. If not, which method you might suggest to acheive this in a better way?
    5. Difficulties in storing keys if I opt to go with public and private key pairs.
    6. Any good resource apart from sun site for such of these topics.
    My list of questions may be long but I will be happy with whatever answers you may have.
    I paste here the code that I was explaining above which makes it easier(hopefully) to
    know what I was talking about.
    Though I could have made one single call to compute the key, I have them seperate for
    encrytion and decrytion cos it was just a trial run and I did not make any design decisions.
    class NewerEncrypt {
    byte[] salt = {(byte)0xaa,(byte)0xbb,(byte)0xcc,(byte)0xdd,
    (byte)0x22,(byte)0x44,(byte)0xab,(byte)0x12 };
    int iterations = 10;
    byte[] ciphertext;
    String convertedct;

    public static void main(String args[]) {
    NewerEncrypt ne = new NewerEncrypt();
    char[] cArray = new char[args[0].length()];
    args[0].getChars(0,args[0].length(),cArray,0);
    char[] cArray1 = new char[args[1].length()];
    args[1].getChars(0,args[1].length(),cArray1,0);
    ne.encryptPassword(cArray);
    ne.decryptPassword(cArray1);
    //System.out.println("Encrypt/Decrypt calls complete");
    }
    String cipherName = "PBEWithMD5AndDES";

    public void encryptPassword(char[] cArray) {
    int mode = Cipher.ENCRYPT_MODE;
    try{
    // Compute the key
    PBEParameterSpec pbeParamSpec=new PBEParameterSpec(salt, iterations);
    PBEKeySpec pbeKeySpec = new PBEKeySpec(cArray);
    SecretKeyFactory keyFac = SecretKeyFactory.getInstance(cipherName);
    SecretKey key = keyFac.generateSecret(pbeKeySpec);
    // Construct the cipher
    Cipher descipher = Cipher.getInstance(cipherName);
    descipher.init(mode, key, pbeParamSpec);
    byte[] bArray = "dummy".getBytes();
    ciphertext = descipher.doFinal(bArray);
    convertedct = new String(ciphertext);
    //System.out.println("Done with encryption, the obtained string is "+
    // convertedct);
    }
    catch (Exception e) {
    System.out.println("Caught exception: " + e);
    }
    }
    public void decryptPassword(char[] cArray ){
    int mode = Cipher.DECRYPT_MODE;
    String afterdecrypt = "";
    try{
    // Compute the key
    PBEParameterSpec pbeParamSpec=new PBEParameterSpec(salt, iterations);
    PBEKeySpec pbeKeySpec = new PBEKeySpec(cArray);
    SecretKeyFactory keyFac = SecretKeyFactory.getInstance(cipherName);
    SecretKey key = keyFac.generateSecret(pbeKeySpec);
    // Construct the cipher
    Cipher descipher = Cipher.getInstance(cipherName);
    descipher.init(mode, key, pbeParamSpec);
    byte[] newciphertext = descipher.doFinal(ciphertext);
    afterdecrypt = new String(newciphertext);
    //System.out.println("Done with decryption, the obtained string is "+
    // afterdecrypt);
    if(afterdecrypt.equals("dummy") || (afterdecrypt == "dummy")){
    System.out.println("decryption successfull !");
    }
    else{
    System.out.println("decryption failure.Passwords after decryption"
    +" Does not match with the one before "+
    " encryption");
    }
    }
    catch (Exception e) {
    if(!afterdecrypt.equalsIgnoreCase("dummy")){
    System.out.println("decryption failure.Wrong password !");
    }
    else{
    System.out.println("Caught exception: " + e);
    }
    }
    }
    }
    Thanks once again
    Raj
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: encrypt/decrypt with sunjce....help reqd ! Thanks
     
    Similar Threads
    Is cast5 128 supported by default sun JCE provider?
    Encryption
    problem with JCE encrypting and decrypting text
    Password encryption and decryption in java
    168 bit 3DES encryption and decryption....