Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Spring security support for double encryption

 
Darvesh Niz
Ranch Hand
Posts: 121
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello

We are enhancing our encryption by double encryption.
Till now we have only one encryption (SHA-1 Hashed) and hence spring password encoder has support for this in spring security file we use password encoder
<authentication-provider user-service-ref="userService">
<password-encoder hash="sha" base64="true">
</password-encoder>
</authentication-provider>

Now we are enhancing our encryption more, first we generate SHA-1 Hashed string and then again do
BCrypt.hashpw(SHA1HASHEDSTRING, BCrypt.gensalt())

My strong assumption is that since we are doing double encryption i might have to write my own implementing class to first do BCrypt decryption and then do one more decrypt on SHA-1.

Assuming that even if spring has out of box support for Bcrypt but then also we cant plug in double decryption in password encoder.

Please let me know if there is any other better advice.

Thanks
darniz






 
Bill Gorder
Bartender
Posts: 1682
7
Android IntelliJ IDE Linux Mac OS X Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Luckily for you Bcrypt was added in Spring 3.1. Luke Taylor has a good post on it
http://stackoverflow.com/questions/8658584/spring-security-salt-for-custom-userdetails

for usage:
http://stackoverflow.com/questions/8521251/spring-securitypassword-encoding-in-db-and-in-applicationconext

also see the java doc.

http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/crypto/bcrypt/BCrypt.html

Its basically plug and play. As for multiple hashing what is the perceived benefit? I don't understand why this would be necessary.
 
Darvesh Niz
Ranch Hand
Posts: 121
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the quick reply
As of now we use spring 2.5 across our company, hence i might need to write my own class

once thing i found out going by Bcrypt doc, looks like there is no way we can decrypt an encrypted string. The only method Bcrpyt provide is
BCrypt.checkpw(rawPass, encPass)

where you can pass the encPass and the rawPass and compare it and the result is true or false.

The reason i am asking this is when we store the password we do SHA hash encryption and then do Bcrypt encryption.

in order to do authentication, i have reverse the pattern decrypt Bcrypt string and then decrypt SHA to get teh actual value.

Looks like i cant use multiple encryption and the only reason we did was for enhanced security and also we had already user password already stored in SHA hash. so we dont want to convert them to plain text and apply Bcrypt encryption.

i hope i was able to explain correctly.

Thanks



 
Darvesh Niz
Ranch Hand
Posts: 121
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Anyway i dont have to decrypt i can just compare hashes. One more issue i have si the performance problem with this statement
BCrypt.hashpw(entry.getValue(), BCrypt.gensalt())
it takes a lot of time.

Does anyone else have this issue

thanks
 
Bill Gorder
Bartender
Posts: 1682
7
Android IntelliJ IDE Linux Mac OS X Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The larger the strength provided to gensalt the more work will have to be done (exponentially) to hash the passwords. Since you did not specify a number of log rounds it is defaulting to 10. I guess depending on your available resources that might be whats taking a lot of time. Just to test try providing a number of log rounds lower than 10 and see what happens ...

i.e.

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic