aspose file tools*
The moose likes Java in General and the fly likes any suggestiong for encrypting password(String)? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "any suggestiong for encrypting password(String)?" Watch "any suggestiong for encrypting password(String)?" New topic
Author

any suggestiong for encrypting password(String)?

mak zoe
Greenhorn

Joined: Mar 21, 2010
Posts: 8
I am working on a class, which needs a method for encryption password which is a String.
as it will be sent towards a servlet. I need to make sure the password is encrypted so that people may not know the exact password even if something bad happens during the transmittion.

What I need is just simple, simple and simple, a short method is needed.
I am thinking of multipying the string with a constant and divided it back for decryption....

Any suggestion?
Or any similar method shown on the net?

Thanks~!
Kunal Mittal
Greenhorn

Joined: Mar 25, 2010
Posts: 2
Hey i am new to the forum but i am using a method to encrypt and decrypt a string in java. So I can surely send it to you..
shivendra tripathi
Ranch Hand

Joined: Aug 26, 2008
Posts: 263
Why don't you use BASE64Encoder and BASE64Decoder classes?


SCJP 1.5(97%) My Blog
Campbell Ritchie
Sheriff

Joined: Oct 13, 2005
Posts: 39409
    
  28
Kunal Mittai, please don't ask people to contact you privately. I have deleted your e-mail address (I hope you don't mind, Rob, Jesper, Robert) so all discussion can be where everybody can take part. And also it will reduce the risk of spammers picking up your address.
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19720
    
  20

shivendra tripathi wrote:Why don't you use BASE64Encoder and BASE64Decoder classes?

Because that's not proper encrypting; anyone who has a Base64 decoder can decode the "encrypted" string without even needing a key. javax.crypto.Cipher is a better option. I always use it in combination with the Blowfish algorithm

Campbell Ritchie wrote:I have deleted your e-mail address (I hope you don't mind, Rob, Jesper, Robert)

I was just going to do that myself, but when I pressed reply it was already gone


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Or just use HTTPS.

But any trivial encryption, particularly when the output of the algorithm makes it obvious what was used, is just that: trivial, and should not be relied upon to provide anything approaching "secure".
Jesper de Jong
Java Cowboy
Saloon Keeper

Joined: Aug 16, 2005
Posts: 14269
    
  21

mak zoe wrote:I am thinking of multipying the string with a constant and divided it back for decryption....

Any hacker who seriously wants to get to the password will break anything as simple as that very quickly.

Java Beginners FAQ - JavaRanch SCJP FAQ - The Java Tutorial - Java SE 8 API documentation
Manish Singh
Ranch Hand

Joined: Jan 26, 2007
Posts: 160
use HTTPS protocol
Campbell Ritchie
Sheriff

Joined: Oct 13, 2005
Posts: 39409
    
  28
Rob Prime wrote: . . . I was just going to do that myself . . .
You mean I managed to do something before you?
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19720
    
  20

You sure did!
Charles Bradley
Greenhorn

Joined: Oct 04, 2009
Posts: 25
Here is an approach that usually, but not always, works well. It is always quite secure, but the method of handling a forgotten password might make it not the best approach in some applications. Use a hash function that can not be undone, often called a trapdoor function. The server stores the hash. The client applies the same hash function to the password. If the hash matches the stored hash, the password was correct. The password was never in the clear.
When the user forgets the password the system assigns a new password and sets a bit requiring the user to change it on the next use. Secure Socket Layer protects the password in transit, and this approach protects it against bad guys that break into the server.
mak zoe
Greenhorn

Joined: Mar 21, 2010
Posts: 8
Rob Prime wrote:
shivendra tripathi wrote:Why don't you use BASE64Encoder and BASE64Decoder classes?

Because that's not proper encrypting; anyone who has a Base64 decoder can decode the "encrypted" string without even needing a key. javax.crypto.Cipher is a better option. I always use it in combination with the Blowfish algorithm
.

Hey Rob,
What special using blowfish?
What's the differences and advantages over the other algorithm??
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19720
    
  20

Blowfish is a proven encryption algorithm that allows both encryption and decryption. That means that, unlike MD5 and other hashing algorithm, you can get the original value back if you have the right key. There are others like that (I believe AES is one) but when I needed one I found Blowfish first, and never needed anything else.
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

And let's face it: "Blowfish" is just a *cool* name for an algorithm.
Jelle Klap
Bartender

Joined: Mar 10, 2008
Posts: 1773
    
    7

David Newton wrote:And let's face it: "Blowfish" is just a *cool* name for an algorithm.


And that should always be the most import criterion when picking...anything.
Which is why I prefer Serpent over Blowfish and let's face it, which is why we're all Java developers, because no programming language or platform could possibly top that name.
Although I always kind of missed the letter 'X' in there, somewhere, until JavaFX anyway. The letter 'X' always instantly boosts coolness, and should be used as often as possible.
Been think about working it into my name, actually.


Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 18896
    
  40

Rob Prime wrote:... but when I needed one I found Blowfish first, and never needed anything else.



I mix them up... when I need one, initially I try to find a new one -- or now, because I have done many, randomly pick one of the known strong algorithms.

Why? I am paranoid. And if an algorithm gets broken, I like to mitigate the work that I need to do, to go back and fix the broken ones. And changing an algorithm, after the application has stored tons and tons of keys into a database, is not simple.

Henry


Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)
mak zoe
Greenhorn

Joined: Mar 21, 2010
Posts: 8
as I am actually sending the encrypted password through the inputstream using the HTTPConnection.
How can I handle the byte[] using read()?

poor student with poor programming knowledge:(
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

mak zoe wrote:as I am actually sending the encrypted password through the inputstream using the HTTPConnection.
How can I handle the byte[] using read()?

This is a really bad idea. You should sent Text over HTTP unless you know what you are doing.

If you insist on doing your own crypto, which I strongly recommend that you do not attempt, then you have to take the user entered String, and convert it to a byte[] because all known crypto algorithms are defined on arrays of octets, which are essentially byte[].
Then you do the crypto algoithm, which yields another array of byte values, which you need to convert to easy to read and transmit text using MIME encoding.

mak zoe
Greenhorn

Joined: Mar 21, 2010
Posts: 8
what is MIME?
would you mind explain it in more practically?

Is there no way to read byte[] using HTTPConnection, isn't?
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

You need to do more research. MIME is a way to encode (not encrypt) binary data as text. Google for it.

Yes, technically one can read and write binary over HTTP, but I do not recommend it to folks who don't understand a fair amount of the details. Your questions indicate that you need more research and experience before I would feel comfortable getting into details. This is not for folks just learning the basics.
mak zoe
Greenhorn

Joined: Mar 21, 2010
Posts: 8
do you mean that I need..
first get the string from user
then do the crypto algorithm
then convert it using MIME
then sent the MIME ENCODING?
and then from the receiver side, do the way round?
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

mak zoe wrote:do you mean that I need..


Close, but check what was posted up thread more carefully.

first get the string from user
then convert String to byte[] array
then do the crypto algorithm
then convert it using MIME
then sent the MIME ENCODING?
and then from the receiver side, do the way round?

Fun, right? That is why other folks upthread suggested that you use HTTPS or SSL (which are the same thing).

Worse, the point of any crypto algoithm is to take a bunch of bytes and make them look like garbage. This is what it does when it works properly. There is no way
to debug it. The only real test is to do the front process, and then do the receiving side and make sure that you get what you sent. The problem is that any errors along the way will take what you start with and make it look like binary garbage.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: any suggestiong for encrypting password(String)?