It's not a secret anymore!*
The moose likes Spring and the fly likes Spring security support for double encryption Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Spring security support for double encryption" Watch "Spring security support for double encryption" New topic
Author

Spring security support for double encryption

Darvesh Niz
Ranch Hand

Joined: May 12, 2008
Posts: 119
Hello

We are enhancing our encryption by double encryption.
Till now we have only one encryption (SHA-1 Hashed) and hence spring password encoder has support for this in spring security file we use password encoder
<authentication-provider user-service-ref="userService">
<password-encoder hash="sha" base64="true">
</password-encoder>
</authentication-provider>

Now we are enhancing our encryption more, first we generate SHA-1 Hashed string and then again do
BCrypt.hashpw(SHA1HASHEDSTRING, BCrypt.gensalt())

My strong assumption is that since we are doing double encryption i might have to write my own implementing class to first do BCrypt decryption and then do one more decrypt on SHA-1.

Assuming that even if spring has out of box support for Bcrypt but then also we cant plug in double decryption in password encoder.

Please let me know if there is any other better advice.

Thanks
darniz






Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1666
    
    7

Luckily for you Bcrypt was added in Spring 3.1. Luke Taylor has a good post on it
http://stackoverflow.com/questions/8658584/spring-security-salt-for-custom-userdetails

for usage:
http://stackoverflow.com/questions/8521251/spring-securitypassword-encoding-in-db-and-in-applicationconext

also see the java doc.

http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/crypto/bcrypt/BCrypt.html

Its basically plug and play. As for multiple hashing what is the perceived benefit? I don't understand why this would be necessary.


[How To Ask Questions][Read before you PM me]
Darvesh Niz
Ranch Hand

Joined: May 12, 2008
Posts: 119
Thanks for the quick reply
As of now we use spring 2.5 across our company, hence i might need to write my own class

once thing i found out going by Bcrypt doc, looks like there is no way we can decrypt an encrypted string. The only method Bcrpyt provide is
BCrypt.checkpw(rawPass, encPass)

where you can pass the encPass and the rawPass and compare it and the result is true or false.

The reason i am asking this is when we store the password we do SHA hash encryption and then do Bcrypt encryption.

in order to do authentication, i have reverse the pattern decrypt Bcrypt string and then decrypt SHA to get teh actual value.

Looks like i cant use multiple encryption and the only reason we did was for enhanced security and also we had already user password already stored in SHA hash. so we dont want to convert them to plain text and apply Bcrypt encryption.

i hope i was able to explain correctly.

Thanks



Darvesh Niz
Ranch Hand

Joined: May 12, 2008
Posts: 119
Anyway i dont have to decrypt i can just compare hashes. One more issue i have si the performance problem with this statement
BCrypt.hashpw(entry.getValue(), BCrypt.gensalt())
it takes a lot of time.

Does anyone else have this issue

thanks
Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1666
    
    7

The larger the strength provided to gensalt the more work will have to be done (exponentially) to hash the passwords. Since you did not specify a number of log rounds it is defaulting to 10. I guess depending on your available resources that might be whats taking a lot of time. Just to test try providing a number of log rounds lower than 10 and see what happens ...

i.e.

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Spring security support for double encryption