• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Devaka Cooray
  • Ron McLeod
  • Jeanne Boyarsky
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Carey Brown
  • Tim Holloway
Bartenders:
  • Martijn Verburg
  • Frits Walraven
  • Himai Minh

Java Security

 
Ranch Hand
Posts: 458
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How difficult is it write an Java program that prompts the user for a userid and password?

The specific need is to secure an applet on a web-server that allows access to an internal system.
Is this fairly advanced Java?
 
Trailboss
Posts: 23548
IntelliJ IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If the data is not too sensitive, it is pretty easy. If the data is sensitive, then you will want to at least encrypt the stuff going back and forth.
My opinion on passwords: Never store the actual password, store the CRC of the password. The applet should not send the password over the web, it should send the CRC. If the CRC's match, then the password is good.
 
Ranch Hand
Posts: 18944
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ho do i use this class to check for the crc value
 
Sheriff
Posts: 7000
6
Eclipse IDE Python C++ Debian Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't want to get into an argument, but surely sending the CRC and comparing it on the server is actually less secure than using the password. A CRC is a numeric value, and thus limited in range, (say a Java int limited to 32 bits, or even a long at 64 bits), whereas an arbitrary length character string has far more possibilities, and thus a lesser chance of being found by random or sequential selection.
For real security, you need an algorithmic approach such as the server sending a challenge, and the applet replying with the correct answer, which depends on the challenge.
 
Ray Marsh
Ranch Hand
Posts: 458
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What about encryption, or is that what you are refering to Frank?
 
Frank Carver
Sheriff
Posts: 7000
6
Eclipse IDE Python C++ Debian Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, encryption by itself doesn't help much for password authentication. An attacker can copy the encrypted password as easily as the unencrypted one.
The challenge-response mechanism, on the other hand works like this:
1. The server asks a question
2. The client answers it
3. The server checks the answer agains the question.
As a very simple example, consider a system where both the client and the server each have a copy of an array of 1000 randomly generated numbers, created when the system was compiled. When the client trys to log in, the server chooses a random index from 1 to 1000 and asks the client for the number at that position in the "code book".
Simply intercepting the datastream between the client and the server is not enough to be able to spoof the login process. The answer won't be the same next time. This approach can be made as complex as you like, and include things like the date, time or IP address of the client in the reply for extra security.
 
If you live in a cold climate and on the grid, incandescent light can use less energy than LED. Tiny ad:
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic