File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Object Relational Mapping and the fly likes Encryption and Decryption - DB2 and JPA Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » Object Relational Mapping
Bookmark "Encryption and Decryption - DB2 and JPA" Watch "Encryption and Decryption - DB2 and JPA" New topic
Author

Encryption and Decryption - DB2 and JPA

Karina Guenther
Ranch Hand

Joined: Sep 16, 2005
Posts: 55
I'm creating a db that stores encrypted pwds. I need to be able to dycrypt them. I plan on using DB2's encrypt and decrypt command, but our company uses JPA to connect to the DB and while I know I could use @NamedQueries( to specifically state my queries, I wonder if JPA has a default that I should use. I'm new to JPA. Could you point me in the right direction?
Oliver Chua
Greenhorn

Joined: Feb 27, 2004
Posts: 29
Hi,

I don't think there's an encryption/decryption support in JPA.
You would have to do the encryption in the business/service layer as opposed to domain/data layer.

What we usually do is use an api (SAAJ, etc) to encrypt password when they are inserted.
When retrieving, the password supplied is encrypted and compared to the encrypted string in the database,
and the user is allowed to login.
This means there is really no need for decryption.
Karina Guenther
Ranch Hand

Joined: Sep 16, 2005
Posts: 55
I guess I wasn't clear upon the purpose of my task. The passwords being stored are not to be used to compare for logins. They are being used to track application logins into servers. We have a problem where the passwords expired and our apps fail and we have only one person who knows what the old password is or can reset it. I know that app passwords should be non-expiring but there are various reasons that it is difficult to achieve. Our apps also have to access servers that are not under our control and we need to be able to track those as well. As a result, they do need to be decrypted so that an authorized person can read them in the clear.
Oliver Chua
Greenhorn

Joined: Feb 27, 2004
Posts: 29
Hi Kari,

To be able to decrypt the existing password, you can read the encrypted string from the database using JPA,
then decrypt it in the service layer.

The above solution will work although I have concerns about security.
The majority of applications/system consider it a security issue to send a customer's existing password by email.
What's stopping anyone from running this service to get customer's passwords?

Most would have a security question and answer filled up during registration.
When the customer forgets password, he supplies his username, security question/answer,
and a randomly generated password is emailed to him.
He will be forced to immediately change the password after he logins.
Karina Guenther
Ranch Hand

Joined: Sep 16, 2005
Posts: 55
Where would I go to find how to decrypt the password in the service layer? Remember the passwords I'm keeping track of are passwords used by batch applications and not user passwords to the applications that control those batch programs.The e-mail will not contain the password - only a warning that the password is scheduled to expire so that someone can take action to reset the passwords so that the batch programs won't fail. There is a separate password system that controls access to all of these apps.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41509
    
  53
The SecurityFaq points to some resources about JCE, the standard Java API for cryptography. Of course, encryption/decryption requires a key, so the problem of protecting passwords has now been transformed into the problem of protecting the encryption key.


Ping & DNS - my free Android networking tools app
Karina Guenther
Ranch Hand

Joined: Sep 16, 2005
Posts: 55
I finally found my solution: use JPA's executeNativeQuery and build my own query with the required DB2 encryption and decryption phrases. The encryption key will be stored as part of the build.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Encryption and Decryption - DB2 and JPA