In my java web app, admin account will create user account, where the password will be encrypted, using StandardPasswordEncoder class, that's easy. But how to encrypt the admin password, which i already stored in MySQL database?
how to encrypt the admin password, which i already stored in mysql
database?
You can edit your password :
UPDATE table_name SET pass = MD5(pass);
-- --------------------------^^^-------
-- This can be any Standard encryption algorithm, you can check the link above
You can take a look about Encryption and Compression Functions
how if i only want to encrypt only the admin password? the other users
password will be encrypted by admin in java controller class.
You can mark your password like a master admin for example you can add a column in your table that make difference between the admin and the ordinary users, consider you have a big enterprise in this case one admin account is not enough, you need many admin accounts, and in base of this column you can encrypt the admin account with an algorithm and the others with another algorithm.
Encrypt password using SHA-256
I managed to encrypt the admin password, but i can't log in to my web
app coz the StandardPasswordEncoder class in the web app is using
SHA-256 hashing algorithm
SHA-256 != MD5, this is clear so you have to use the same algothm in the both side code and database, in your case you are using SHA-256 i assume you are using a function like this :
CODE
public static String sha256(String base) {
try {
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hash = digest.digest(base.getBytes("UTF-8"));
StringBuilder hexString = new StringBuilder();
for (int i = 0; i < hash.length; i++) {
String hex = Integer.toHexString(0xff & hash[i]);
if (hex.length() == 1) {
hexString.append('0');
}
hexString.append(hex);
}
return hexString.toString();
} catch (UnsupportedEncodingException | NoSuchAlgorithmException ex) {
throw new RuntimeException(ex);
}
}
This will encrypt admin like this :
admin = 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
DATABASE
So in your database you have to encrypt your password like this :
SELECT SHA2('admin', 256);
The update query should look like this :
UPDATE table_name SET pass = SHA2(pass, 256) WHERE admin_master = true;
-- -------------Field to check if it is admin or not ---^
So when you try to log in you have to check if it is admin or not, if admin encrypt your password with SHA-256 and check if the user exist or not, else if the user is ordanary user, check with your previouse algorithm.
Hope this can give you an idea.
Related
I'm developing a Java client application that connects to a web service. For this web service, I need an authentication secret (password/token/...). How can I store this password securely within the Operating Systems "default" Key-Store System?
(By "default" I mean a standard tool provided by the OS, e.g. on Mac there is a "Keychain Access" application that stores certificates and passwords. Some applications manage to store their passwords there and each time the password is needed the Operating System itself provides a dialog asking for permission. Or on Windows, there is the Data Protection API.)
So far I came across this question about storing certificates and Java's KeyStore class. And managed to write the following:
//Loading the OS default keystore
KeyStore ks = KeyStore.getInstance("KeychainStore", "Apple");
ks.load(null, null);
//Reading keys
Enumeration<String> aliases = ks.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
if (ks.isKeyEntry(alias)) {
Key key = ks.getKey(alias, "anything".toCharArray()); //this invokes the OS popup
if (key == null) {
System.err.println(alias + " could not be read");
} else {
System.out.println(alias + " (algorithm = " + key.getAlgorithm() + ", format = " + key.getFormat() + ")");
}
}
}
//Writing keys (does not work yet)
String secretExample = "my very secret secret";
SecretKey generatedSecret = SecretKeyFactory.getInstance("PBE").generateSecret(new PBEKeySpec(secretExample.toCharArray()));
ks.setKeyEntry("my.app.Secret", generatedSecret, null, null); //throws java.security.KeyStoreException: Key protection algorithm not found: java.security.KeyStoreException: Key is not a PrivateKey
ks.setKeyEntry("my.app.Secret", secretExample.getBytes(), null); //throws java.security.KeyStoreException: key is not encoded as EncryptedPrivateKeyInfo
With this I can already read some keys but have not been able to write any. The last two lines are my not working possible solutions (each throws a different exception).
I think storing passwords securely is a very general problem. I would like to address it by using the options provided by Operating Systems. How can I do that?
How can I improve my code to work?
How can I improve my code to also work under different OS?
Is there a library I can use to store data using options provided by the OS?
What other options do I have?
java.security.KeyStore was not created to deal with passwords. It is a storage facility for cryptographic keys and certificates. While you can try to use it to store passwords since it can for example store private keys, I would advise you against that, because KeyStore's API is cumbersome as you saw yourself and was not designed for your use case.
How to store passwords in Windows, Linux or macOS
There is the Java Keyring library. It stores passwords in:
Keychain on macOS
Credential Manager on Windows
DBus Secret Service on GNOME
Here's how to use it:
public static void main(String[] args) throws Exception {
Keyring keyring = Keyring.create();
String serviceName = "test-app";
String accountName = "test-account";
keyring.setPassword(serviceName, accountName, "test-password");
String password = keyring.getPassword(serviceName, accountName);
System.out.println(password);
}
Gradle
implementation 'com.github.javakeyring:java-keyring:1.0.1'
Maven
<dependency>
<groupId>com.github.javakeyring</groupId>
<artifactId>java-keyring</artifactId>
<version>1.0.1</version>
</dependency>
If you want to support desktop environments other than GNOME you would probably have to come up with your own solution or search for a different library, but this should get you started.
JKS used to be the standard KeyStore format in Java (till Java 8). It uses quite weak encryption and is limited. E.g. it can not store SecretKey instances.
IMHO the apple specific KeyStore or at least the Java access to it has similar limitations.
In case you consider to create a KeyStore independent from OS and use a portable solution instead, you can choose a different format such as PKCS12 or JCEKS. For details see here:
http://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview
In that case you should be aware that creating a new KeyStore with Java code is tricky. The easiest way is to use keytool (commandline tool that comes with JDK) to create your initial KeyStore. Then you can easily use load and store methods to load it and save changes.
In case you manage to get it working with the OS specific KeyStore you actually do not have to create it as it is already there.
It's for a desktop app, so only I want basic login security and I though to use one function to encrypt password and another which I pass pass password from UI and hash save into db and returns true o false depends on if matches or not.
I try to use pooled version from official jasypt website, and I can encrypt but I don't know how to decrypt it.
//Function to encrypt password
public static String cifrarClave(String clave) {
PooledStringDigester digester = new PooledStringDigester();
digester.setPoolSize(4);
digester.setAlgorithm("SHA-1");
digester.setIterations(50000);
digester.setSaltSizeBytes(32);
//String return is hash that I save into db
return digester.digest(clave);
}
//Function to decrypt password
//clave is old plain that user enter from UI and I want to compare from hash save it into db
public static boolean validarClave(String clave, String hash) {
PooledStringDigester digester = new PooledStringDigester();
digester.setPoolSize(4);
digester.setAlgorithm("SHA-1");
digester.setIterations(50000);
String digest = digester.digest(clave);
//Always fails at that point, I get different hash from compare clave
return digester.matches(digest, hash);
}
I'm a newbie in security, so I don't know much about security, I accept other suggestions or alternatives, I only want a working example.
You're using the jasypt's matches(message, digest) function incorrectly when you are calling it with two hash digests instead of the plaintext message and the previously computed digest.
In your validarClave(), you're first unnecessarily computing a digest from the user's plaintext password (clave) which you then pass to the matcher:
String digest = digester.digest(clave);
//Always fails at that point, I get different hash from compare clave
return digester.matches(digest, hash);
Your method will work correctly if you simply pass the plaintext password to the matcher, as follows:
digester.matches(clave, hash);
More info is available at jasypt's javadocs and code examples.
I encrypt my password using this syntax in java
EncryptionAlgorithm algorithm = EncryptionAlgorithmFactory.getEncryptionAlgorithm(EncryptionAlgorithmFactory.SUNBEEN_V1);
String encryptedPassword = algorithm.encrypt(password);
Input : 123
output in encrypted : QL0AFWMIX8NRZauqi4sKCKuhiiIynqH/XF7L277vIQGDCwgjAQCpAA==.
my question is how i decrypt my password using SUNBEEN_V1
i also search in google sunbeen_V1 did not get any search result.
Any Idea regarding sunbeen_V1.
thanks.
I am currently creating application using Java, I googled password encryption with java but the results are so enormous I felt overwhelmed. How would I encrypt and decrypt a password using Java? And what is the best practice for encrypting and decrypting passwords? I am guessing MD5 is not a way to go since it is a one way hash. I am using struts2 as my framework, was wondering if they provide password encryption
Updated:
Try JBCrypt:
String password = "MyPassword123";
String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));
System.out.println(hashed); // $2a$12$QBx3/kI1SAfwBDFOJK1xNOXK8R2yC7vt2yeIYusaqOisYbxTNFiMy
Download jBCrypt-0.3 from here, check README file for more details.
Also I don't recommend to use MD5 because, it's already broken. Instead of that you can use SHA512 it's secure hashing method, you can use MessageDigest. Below code I am using in one of my project, which works perfectly
public String encode(String password, String saltKey)
throws NoSuchAlgorithmException, IOException {
String encodedPassword = null;
byte[] salt = base64ToByte(saltKey);
MessageDigest digest = MessageDigest.getInstance("SHA-512");
digest.reset();
digest.update(salt);
byte[] btPass = digest.digest(password.getBytes("UTF-8"));
for (int i = 0; i < ITERATION_COUNT; i++) {
digest.reset();
btPass = digest.digest(btPass);
}
encodedPassword = byteToBase64(btPass);
return encodedPassword;
}
private byte[] base64ToByte(String str) throws IOException {
BASE64Decoder decoder = new BASE64Decoder();
byte[] returnbyteArray = decoder.decodeBuffer(str);
if (log.isDebugEnabled()) {
log.debug("base64ToByte(String) - end");
}
return returnbyteArray;
}
well, as I know we have following some algorithm to secure password.
MD5 -
PBKDF2 -
SHA -
BCrypt and SCrypt -
among this BCrypt and SCrypt are the more secure way for password security.
There is quite nice project dedicating to solving that problem in Java.
Essentially, it provides two ways of encrypting user passwords:
- MD5
- SHA1
Take a look to the link:
jasypt
for me i see that MD5 its the best way and you don't need to decrypt the password in case the user forgot his password you can give him a way to generate a new one and for the log in you can compare just the hash existing in the data base and the one entred by the user
Always use ONE WAY HASH ALGORITHM.
I would say GO with MD5 hashing. While storing password in DB, use MD5 hashing. So that if you have your password as pass, after hashing it will get stored as asjasdfklasdjf789asdfalsdfashdflasdf (32 character).
As you said, you want to de-crypt the password also. I would say don't do that. While checking the password against DB, what you can do is hash the password and compare that string with what you have in database.
if (DoHashMD5(myPass).equals(rs.getString(2))) {
System.out.print("You are registered user!!!");
} else {
System.out.print("Invalid user!!!");
}
here rs.getString(2) would be your query parameter.
I would like to create a file protected by a password in JAVA.
What I mean is, once I launch the program, one file created by my program would be directly protected by previously determined password.
Is there an easy way to do it ?
Once again, my aim is not to create a file and then add it a password, but right during the creation protecting the file by a password.
Actually, I want the current runner program not having access in reading/editing the created file EXCEPT if he/she has the password previously set.
So anyway, if some of you know an easy way to protect files when writing them thanks to java, I would be most grateful.
Have a nice day!
You want to encrypt your file('s content) with a password. Here is a pretty well known library to do it: http://www.jasypt.org/
From their site:
..encrypting and decrypting a text...
BasicTextEncryptor textEncryptor = new BasicTextEncryptor();
textEncryptor.setPassword(myEncryptionPassword);
String myEncryptedText = textEncryptor.encrypt(myText);
...
String plainText = textEncryptor.decrypt(myEncryptedText);
You can read/write the encrypted content to your file.
When you want to encrypt files, strings, etc there are 2 main approaches.
You should start by building a class or method to convert ur string/file to an array of bytes. Build another method to convert the array of bytes back to the string/file.
You may encrypt a file using 2 approaches:
1 - Symmetric key - A secret word (usually a huge string of chars or a password set by the user) will encrypt your file and password, and the same password will be used to decrypt.
2 - Asymmetric key - You generate a pair of keys. One is called the public key and the other is called a private key. Public keys are used to encrypt files, private keys to decrypt.
This would be the more 'professional' approach.
If you want a really safe approach, you should download GnuPG. GnuPG is an executable that manages assymmetric encryption, you may build a class to work with GnuPG and let GnuPG manage ur encryption/decryption process.
Theres an unsafe approach that is 'native' to java (symmetric key) that may work out for you:
Encryption:
byte[] key = //... password converted to an array of bytes
byte[] dataToSend = ...
Cipher c = Cipher.getInstance("AES");
SecretKeySpec k =
new SecretKeySpec(key, "AES");
c.init(Cipher.ENCRYPT_MODE, k);
byte[] encryptedData = c.doFinal(dataToSend);
Decryption:
byte[] key = //
byte[] encryptedData = //
Cipher c = Cipher.getInstance("AES");
SecretKeySpec k =
new SecretKeySpec(key, "AES");
c.init(Cipher.DECRYPT_MODE, k);
byte[] data = c.doFinal(encryptedData);
Hope this helps.
If the file is a plain text file, then not giving the user access to the file without a password in your program does not really password-protect the data, because the user can just open the file with some other program. So IF the file is a text file, then I think you must use encryption.
You can use the comment by #mazaneicha to help you get started in this direction. If you want to dive more into it, you can look at the Java Cryptography architectre and the javax.crypto java docs.
If your file is not human-readable, and only your program understands it, then I would make the first line or first n Bytes of the file a password. If you prefer, you could save another password file in the same directory and use that to authenticate the user before deciding if the user has the right to view the file. A common way to encrypt a password is with an MD5 hash function. The user enters a password, you compute the hash of it, then compare the computed hash with the hash value read from the file:
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
/**
* Use to encrypt passwords using MD5 algorithm
* #param password should be a plain text password.
* #return a hex String that results from encrypting the given password.
*/
static String encryptPassword(String password) {
try {
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(password.getBytes());
byte byteData[] = md.digest();
StringBuilder hexString = new StringBuilder();
for (int i=0;i<byteData.length;i++) {
String hex=Integer.toHexString(0xff & byteData[i]);
if(hex.length()==1)
hexString.append('0');
hexString.append(hex);
}
return hexString.toString();
}
catch(java.security.NoSuchAlgorithmException missing) {
return password;
}
}