• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Tim Cooke
  • Devaka Cooray
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
Bartenders:
  • Carey Brown
  • Roland Mueller

Encrypting password in a properties file

 
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I need to save username and passwords in the properties file in encrypted format and also decrypt the credentials after reading them from a properties file.

Can someone tell how to do that?

Is there any sample code to do that?

Thank you,
-Shruti
 
Saloon Keeper
Posts: 7633
177
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is the problem reading/writing a properties file, or encrypting/decrypting a string? if the latter, then the standard Java API for encryption is JCE, and it comes bundled with the Java class libraries. Here's an introduction using the AES cipher: http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html. Note that encrypted data is binary, and so can not be stored directly in a properties file (which contains text) - you'll need to convert it to text, maybe using something like base-64 encoding.
 
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Shruti Sharma wrote:I need to save username and passwords in the properties file in encrypted format and also decrypt the credentials after reading them from a properties file.


If you are going to validate the password in your application, then symmetric-key encryption is the wrong technology to use. The reason is that you have to keep the decryption key around somehwere to be able to decrypt the passwords. In which case, how do you protect the decryption key? If you leave it lying around in a property file, an attacker can easily find it. If you try to encrypt it with another key, then how do you protect the key-encrypting-key? The problem is a non-trivial one.

The technology you should be using (if your application verifies the passwords) is to use message-digests such as SHA256. This is a "one-way encryption" that cannot reverse the digest value. But, if you get the same password from the users of your application, then you can compute the SHA256 digest to arrive at the same value, which then allows you to compare the calculated value with the stored value safely. See discussion of Message Digests in the JCA documentation at java.sun.com.

If your intent is to store the username/password so you can use it to authenticate your application to some remote service, then you should attempt to use a design like what we've used in StrongKey CryptoEngine. In this FOSS, we have a servlet that displays a single web-page for Administrators, accessible only internally within an Operations network. The Administrator types in the appropriate information into a form, which is verified by the servlet and then maintained in the servlet context. While it remains in memory, it can be used by the servlet to authenticate to a remote web-service. If the servlet/machine is restarted, the credentials disappear and must be entered by an authorized entity. Thus, an attacker, must have already compromised an Administrator account on the machine to be able to search RAM for this (a non-trivial task if the machine is protected adequately).

Hope that helps.

Arshad Noor
StrongAuth, Inc.
 
Crusading Chameleon likes the size of this ad:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic