So have I. I had to. I wrote the security and cryptography chapters of this book
Originally posted by verduka fox:
I have been doing some research in the Java Cryptography package
For earlier versions of J2SE, you can download JCE 1.2.1 from the Sun JCE pages. Just install it as a system extension and you should be able to use it from within VAJ or any other tool. I cannot advise you on any specific support VAJ may have.
1) I am using WebSphere Studio 3.5.4 and VisualAge for Java Advanced Edition version 3.5.3. When I click Help -- About VAJ, it says it is using JDK 1.2.2. How do I use the cryptography package with this tool? [...] How do I get the cryptography package to work with VAJ?
JCE itself comes with pretty decent documentation and some samples. If there's any problem, post to the "Other Java APIs" forum and/or drop me a mail and I'll try to help.
2) Are there any tutorials available with a working example included for cryptography?
Be wary, very wary of implementations you do yourself or that you find somewhere on the 'net. It is very easy to create insecure encryption implementations and very difficult to create secure ones. If you decided that a hash will do the job, you're in luck - J2SE (1.2 and above) contains support for both MD5 and SHA-1 message digests in the core java.security.* API. You won't have to bother with JCE.
3) Now I'm wondering if the java cryptography package is my best solution. I just need to encrypt one value -- the password. Is there perhaps a better implementation of security for this purpose than the java cryptography?
The entire JCA (Java Cryptography Architecture) is based on "providers". There are abstract classes representing most things you'd want to use - key factories, message digests, ciphers, etc. These classes have static factory methods (getInstance()) and sometimes initialisation methods (init()).
4) Could anyone provide a brief overview of how the cryptography package works? I'm looking for a nuts-and-bolts tutorial, but before I begin there I'd like to read a high-level overview of how this package works.
JCA and JCE use first rate implementations of widely accepted, secure cryptographic algorithms (alright, DES has been cracked, but you can use Triple-DES). If you want algorithms not provided by Sun, you can use another provider such as Cryptix. But algorithms are just one side of the picture. Often an application turns out to be as (in)secure as the cryptography skills of the person writing it.
5) One last thing: how secure is the cryptography package? If I implement this solution, how confident can I be that the site will be secure?
If you decided that a hash will do the job, you're in luck - J2SE (1.2 and above) contains support for both MD5 and SHA-1 message digests in the core java.security.* API. You won't have to bother with JCE.
Whoa! That's not a cryptographically secure hash. Avoid.You then save hash and salt in a database (or wherever). When it comes to comparing a given password with the stored one, you read both salt and hash that had been stored in database and:If match is true, the password has been validated.
Originally posted by Pranit Saha: