wood burning stoves 2.0*
The moose likes Security and the fly likes Encrypting password in a properties file Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Encrypting password in a properties file" Watch "Encrypting password in a properties file" New topic

Encrypting password in a properties file

Shruti Sharma
Ranch Hand

Joined: Mar 25, 2010
Posts: 55

I need to save username and passwords in the properties file in encrypted format and also decrypt the credentials after reading them from a properties file.

Can someone tell how to do that?

Is there any sample code to do that?

Thank you,
Tim Moores

Joined: Sep 21, 2011
Posts: 2408
Is the problem reading/writing a properties file, or encrypting/decrypting a string? if the latter, then the standard Java API for encryption is JCE, and it comes bundled with the Java class libraries. Here's an introduction using the AES cipher: http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html. Note that encrypted data is binary, and so can not be stored directly in a properties file (which contains text) - you'll need to convert it to text, maybe using something like base-64 encoding.
Arshad Noor
Ranch Hand

Joined: Oct 06, 2011
Posts: 34
Shruti Sharma wrote:I need to save username and passwords in the properties file in encrypted format and also decrypt the credentials after reading them from a properties file.

If you are going to validate the password in your application, then symmetric-key encryption is the wrong technology to use. The reason is that you have to keep the decryption key around somehwere to be able to decrypt the passwords. In which case, how do you protect the decryption key? If you leave it lying around in a property file, an attacker can easily find it. If you try to encrypt it with another key, then how do you protect the key-encrypting-key? The problem is a non-trivial one.

The technology you should be using (if your application verifies the passwords) is to use message-digests such as SHA256. This is a "one-way encryption" that cannot reverse the digest value. But, if you get the same password from the users of your application, then you can compute the SHA256 digest to arrive at the same value, which then allows you to compare the calculated value with the stored value safely. See discussion of Message Digests in the JCA documentation at java.sun.com.

If your intent is to store the username/password so you can use it to authenticate your application to some remote service, then you should attempt to use a design like what we've used in StrongKey CryptoEngine. In this FOSS, we have a servlet that displays a single web-page for Administrators, accessible only internally within an Operations network. The Administrator types in the appropriate information into a form, which is verified by the servlet and then maintained in the servlet context. While it remains in memory, it can be used by the servlet to authenticate to a remote web-service. If the servlet/machine is restarted, the credentials disappear and must be entered by an authorized entity. Thus, an attacker, must have already compromised an Administrator account on the machine to be able to search RAM for this (a non-trivial task if the machine is protected adequately).

Hope that helps.

Arshad Noor
StrongAuth, Inc.
Don't get me started about those stupid light bulbs.
subject: Encrypting password in a properties file
Similar Threads
Access the web.xml
Struts2: file upload not working
Replace with Properties
B&S suncertify.properties
Common resource for all configurable parameters.