I need to save username and passwords in the properties file in encrypted format and also decrypt the credentials after reading them from a properties file.
Can someone tell how to do that?
Is there any sample code to do that?
Joined: Sep 21, 2011
Is the problem reading/writing a properties file, or encrypting/decrypting a string? if the latter, then the standard Java API for encryption is JCE, and it comes bundled with the Java class libraries. Here's an introduction using the AES cipher: http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html. Note that encrypted data is binary, and so can not be stored directly in a properties file (which contains text) - you'll need to convert it to text, maybe using something like base-64 encoding.
Joined: Oct 06, 2011
Shruti Sharma wrote:I need to save username and passwords in the properties file in encrypted format and also decrypt the credentials after reading them from a properties file.
If you are going to validate the password in your application, then symmetric-key encryption is the wrong technology to use. The reason is that you have to keep the decryption key around somehwere to be able to decrypt the passwords. In which case, how do you protect the decryption key? If you leave it lying around in a property file, an attacker can easily find it. If you try to encrypt it with another key, then how do you protect the key-encrypting-key? The problem is a non-trivial one.
The technology you should be using (if your application verifies the passwords) is to use message-digests such as SHA256. This is a "one-way encryption" that cannot reverse the digest value. But, if you get the same password from the users of your application, then you can compute the SHA256 digest to arrive at the same value, which then allows you to compare the calculated value with the stored value safely. See discussion of Message Digests in the JCA documentation at java.sun.com.
If your intent is to store the username/password so you can use it to authenticate your application to some remote service, then you should attempt to use a design like what we've used in StrongKey CryptoEngine. In this FOSS, we have a servlet that displays a single web-page for Administrators, accessible only internally within an Operations network. The Administrator types in the appropriate information into a form, which is verified by the servlet and then maintained in the servlet context. While it remains in memory, it can be used by the servlet to authenticate to a remote web-service. If the servlet/machine is restarted, the credentials disappear and must be entered by an authorized entity. Thus, an attacker, must have already compromised an Administrator account on the machine to be able to search RAM for this (a non-trivial task if the machine is protected adequately).