Sure We are using SSL only, https login page. But in the Servlet Whether I need to encode the user Id or password or SessionID ?. Or any other security tips please.
You could store the password as a one-way hash like MD5 or SHA. That way, even someone peeking at your database would not be able to see clear-text passwords.
Meet Gaurav
Ranch Hand
Joined: Oct 08, 2008
Posts: 492
posted
0
Thanks bear...
For MD5 can we use base64.jar
EX:
Actual Password : Password123
Can I encrypt the password using base64.jar and then store the password in the database ? Am I rite.
Ulf Dittmer
Marshal
Joined: Mar 22, 2005
Posts: 35232
7
posted
0
Base-64 is not an encryption, it is an encoding that is easily reversed; it provides no security at all.
You also should no longer use MD5, it is obsolete; use SHA-2 (in the shape of SHA-256) instead.
I downloaded the jasypt jar for SHA-2 Encryption. But I didn't get any sample code to encrypy the password and to compare it with user entered password. Please assist me
Ulf Dittmer
Marshal
Joined: Mar 22, 2005
Posts: 35232
7
posted
0
SHA-2 is not an encryption, it's a hash. With all due respect, if you think that base-64 and SHA are ciphers, then IMO you are not qualified to implement security for a computer system.
Note that you do not need any extra library like jasypt - the standard Java class libraries have everything you need. Here's an example of how to do that: http://www.exampledepot.com/egs/java.security/Digest.html Do not use "MD5", though, use "SHA-256". The way to compare the password to some other password is to digest both, and then to compare the digest arrays.
Meet Gaurav
Ranch Hand
Joined: Oct 08, 2008
Posts: 492
posted
0
Ulf Thanks a lot for your valuable time.
Something I tried as per your guidence, Could you please confirm whether am going on the rite path.
Ulf Dittmer
Marshal
Joined: Mar 22, 2005
Posts: 35232
7
posted
0
You're sort of on the right way, with a couple of caveats:
"String" PwdRetrivedFromDB: the digest is binary, it can't be stored as character data in the DB (and thus can't be a Java String after retrieving it). If for some reason you need to use a character field, then you need to base-64 encode the digest before storing it.
You need to reset() the MessageDigest object between uses.
Meet Gaurav
Ranch Hand
Joined: Oct 08, 2008
Posts: 492
posted
0
Ulf once again thanks for your help. Now am clear.
I tried
1. convert user ped to byte array pass it to MessageDigest to ("SHA-256") return a byte array
2. encode using base64 return a string
3. store it in DB
4. Retrive the value from DB then decode using base64 return a byte array
5. pass the byte array to MessageDigest to ("SHA-256") return a byte array
6. then compare to digest byte.
It's returning true...
Thanks a lot Ulf..
what's the difference between
import com.sun.org.apache.xerces.internal.impl.dv.util.Base64;
and
import org.apache.soap.encoding.soapenc.Base64;
Ulf Dittmer
Marshal
Joined: Mar 22, 2005
Posts: 35232
7
posted
0
what's the difference between com.sun.org.apache.xerces.internal.impl.dv.util.Base64 and org.apache.soap.encoding.soapenc.Base64
They most likely have slightly different APIs. In terms of functionality, there's hopefully no difference, since Base-64 is a standard.
import com.sun.org.apache.xerces.internal.impl.dv.util.Base64;
and
import org.apache.soap.encoding.soapenc.Base64;
As Ulf said, the output from the same should be the same.
The big difference to us, as application developers is that we've been told not to directly rely on packages that start with "sun.com.".
Sun makes it very clear in their documentation that this a bad idea and that anything in those packages is subject to change without notice.
Those packages are for their internal use.
In later versions of javac, you will actually get a warning when you try to compile code that relies on these packages.
0
