Shruti Sharma wrote:I need to save username and passwords in the properties file in encrypted format and also decrypt the credentials after reading them from a properties file.
If you are going to validate the password in your application, then symmetric-key encryption is the wrong technology to use. The reason is that you have to keep the decryption key around somehwere to be able to decrypt the passwords. In which case, how do you protect the decryption key? If you leave it lying around in a property file, an attacker can easily find it. If you try to encrypt it with another key, then how do you protect the key-encrypting-key? The problem is a non-trivial one.
The technology
you should be using (if your application verifies the passwords) is to use message-digests such as SHA256. This is a "one-way encryption" that cannot reverse the digest value. But, if you get the same password from the users of your application, then you can compute the SHA256 digest to arrive at the same value, which then allows you to compare the calculated value with the stored value safely. See discussion of Message Digests in the JCA documentation at java.sun.com.
If your intent is to store the username/password so you can use it to authenticate your application to some remote service, then you should attempt to use a design like what we've used in
StrongKey CryptoEngine. In this FOSS, we have a
servlet that displays a single web-page for Administrators, accessible only internally within an Operations network. The Administrator types in the appropriate information into a form, which is verified by the servlet and then maintained in the servlet context. While it remains in memory, it can be used by the servlet to authenticate to a remote web-service. If the servlet/machine is restarted, the credentials disappear and must be entered by an authorized entity. Thus, an attacker, must have already compromised an Administrator account on the machine to be able to search RAM for this (a non-trivial task if the machine is protected adequately).
Hope that helps.
Arshad Noor
StrongAuth, Inc.