Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Password Encryption and Decryption

 
Bunty Paul
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,


Can somebody help me out in encryption and decryption of a password?
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The JavaDocs are a good place to start. There is good related documentation linked from there too.
 
Jesper de Jong
Java Cowboy
Saloon Keeper
Posts: 15281
39
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can you explain in more detail what you want to do? Do you want to store passwords in a database or file or somewhere else in encrypted form?

One technique that is used very frequently (for example, it is how most versions of Unix store passwords of user accounts in the file /etc/passwd) is the following:

Instead of storing the password itself, you store a "digest" of the password. There are several different algorithms to create the digest, for example SHA and MD5. Those digest algorithms are one-way algorithms: you can encrypt data with them, but it is not possible to decrypt it (you can't get the original data back out of the digest).

When someone logs on to your system, the user types in his or her password. Your program now computes the digest of the password that the user typed in, and compares that digest to the digest in the database. If the two are the same, then the correct password was typed in.

So you see, the trick here is that if you know the digest, you don't know the password, because the algorithm only works one way.

Java has methods to compute digests over data: see the class java.security.MessageDigest.
 
Bunty Paul
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jesper Young:
Can you explain in more detail what you want to do? Do you want to store passwords in a database or file or somewhere else in encrypted form?

One technique that is used very frequently (for example, it is how most versions of Unix store passwords of user accounts in the file /etc/passwd) is the following:

Instead of storing the password itself, you store a "digest" of the password. There are several different algorithms to create the digest, for example SHA and MD5. Those digest algorithms are one-way algorithms: you can encrypt data with them, but it is not possible to decrypt it (you can't get the original data back out of the digest).

When someone logs on to your system, the user types in his or her password. Your program now computes the digest of the password that the user typed in, and compares that digest to the digest in the database. If the two are the same, then the correct password was typed in.

So you see, the trick here is that if you know the digest, you don't know the password, because the algorithm only works one way.

Java has methods to compute digests over data: see the class java.security.MessageDigest.


I want to store the pasword in a mysql database table in encrypted form.
Again i need to decrypt whenever i need, for example during password verification
I want some encryption and decryption program in java using any algorithm.
I have got lot of encryption methods through google but have not got any decrypion algorithm
 
Henry Wong
author
Marshal
Pie
Posts: 21117
78
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Bunty Paul:

I want to store the pasword in a mysql database table in encrypted form.
Again i need to decrypt whenever i need, for example during password verification
I want some encryption and decryption program in java using any algorithm.
I have got lot of encryption methods through google but have not got any decrypion algorithm


Take a look at Jesper's post again. He is suggesting that decrypt is *not* necessary for the case of passwork validation. Basically, you challenge the user for the password, you then encrypt the value entered, and compared it with the encrypted password -- no need for decrypt.

Anyway... if this is a case where you need to decrypt. Google for the javax.crypto.Cipher class. It is built into Java 1.4 core, and supports a large number of algorithms.

Henry
 
fred rosenberger
lowercase baba
Bartender
Posts: 12124
30
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Being able to decrypt a password is a bad idea. If someone gets access to your database, they have access to everything by decrypting passwords. it is inherently unsafe.

I don't understand why you need to decrypt for password verification. you're saying you want to decrypt the password, and compare that to what the user types in. instead, you should encrypt what the user types in, and compare that to the stored, encrypted password.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic