my dog learned polymorphism*
The moose likes Java in General and the fly likes Password Encryption and Decryption Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "Password Encryption and Decryption" Watch "Password Encryption and Decryption" New topic
Author

Password Encryption and Decryption

Bunty Paul
Greenhorn

Joined: Jun 26, 2006
Posts: 28
Hi,


Can somebody help me out in encryption and decryption of a password?
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

The JavaDocs are a good place to start. There is good related documentation linked from there too.


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Jesper de Jong
Java Cowboy
Saloon Keeper

Joined: Aug 16, 2005
Posts: 14074
    
  16

Can you explain in more detail what you want to do? Do you want to store passwords in a database or file or somewhere else in encrypted form?

One technique that is used very frequently (for example, it is how most versions of Unix store passwords of user accounts in the file /etc/passwd) is the following:

Instead of storing the password itself, you store a "digest" of the password. There are several different algorithms to create the digest, for example SHA and MD5. Those digest algorithms are one-way algorithms: you can encrypt data with them, but it is not possible to decrypt it (you can't get the original data back out of the digest).

When someone logs on to your system, the user types in his or her password. Your program now computes the digest of the password that the user typed in, and compares that digest to the digest in the database. If the two are the same, then the correct password was typed in.

So you see, the trick here is that if you know the digest, you don't know the password, because the algorithm only works one way.

Java has methods to compute digests over data: see the class java.security.MessageDigest.


Java Beginners FAQ - JavaRanch SCJP FAQ - The Java Tutorial - Java SE 7 API documentation
Scala Notes - My blog about Scala
Bunty Paul
Greenhorn

Joined: Jun 26, 2006
Posts: 28
Originally posted by Jesper Young:
Can you explain in more detail what you want to do? Do you want to store passwords in a database or file or somewhere else in encrypted form?

One technique that is used very frequently (for example, it is how most versions of Unix store passwords of user accounts in the file /etc/passwd) is the following:

Instead of storing the password itself, you store a "digest" of the password. There are several different algorithms to create the digest, for example SHA and MD5. Those digest algorithms are one-way algorithms: you can encrypt data with them, but it is not possible to decrypt it (you can't get the original data back out of the digest).

When someone logs on to your system, the user types in his or her password. Your program now computes the digest of the password that the user typed in, and compares that digest to the digest in the database. If the two are the same, then the correct password was typed in.

So you see, the trick here is that if you know the digest, you don't know the password, because the algorithm only works one way.

Java has methods to compute digests over data: see the class java.security.MessageDigest.


I want to store the pasword in a mysql database table in encrypted form.
Again i need to decrypt whenever i need, for example during password verification
I want some encryption and decryption program in java using any algorithm.
I have got lot of encryption methods through google but have not got any decrypion algorithm
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 18545
    
  40

Originally posted by Bunty Paul:

I want to store the pasword in a mysql database table in encrypted form.
Again i need to decrypt whenever i need, for example during password verification
I want some encryption and decryption program in java using any algorithm.
I have got lot of encryption methods through google but have not got any decrypion algorithm


Take a look at Jesper's post again. He is suggesting that decrypt is *not* necessary for the case of passwork validation. Basically, you challenge the user for the password, you then encrypt the value entered, and compared it with the encrypted password -- no need for decrypt.

Anyway... if this is a case where you need to decrypt. Google for the javax.crypto.Cipher class. It is built into Java 1.4 core, and supports a large number of algorithms.

Henry


Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)
fred rosenberger
lowercase baba
Bartender

Joined: Oct 02, 2003
Posts: 11168
    
  16

Being able to decrypt a password is a bad idea. If someone gets access to your database, they have access to everything by decrypting passwords. it is inherently unsafe.

I don't understand why you need to decrypt for password verification. you're saying you want to decrypt the password, and compare that to what the user types in. instead, you should encrypt what the user types in, and compare that to the stored, encrypted password.


There are only two hard things in computer science: cache invalidation, naming things, and off-by-one errors
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Password Encryption and Decryption
 
Similar Threads
AES SecretKeySpec object varies in two instances with same passphrase.
problem in encryption of ZIP files.
javax.crypto.BadPaddingException for AES when encrypting and decrypting multiple times
Password based encryption
Please send me one example of Encryption/Decryption