As a general rule, jasypt expects encrypted configuration parameters to appear surrounded by "ENC(...)".
For example, in appConfig.properties file I have following properties:
databaseurl = sampleurl
username = username
password = password
If I encrypt my password; if I get 'G6N718UuyPE5bHyWKyuLQSm02auQPUtm' as encrypted value and surrounded this value with ENC("") function in .properties file.
password=ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm)
How to decrypt this value?
Should I code such a way that only content of the ENC function is taken and decrypted? or there is any other way.
[1]: http://www.jasypt.org/encrypting-configuration.html I am using this link as reference.
If you use the Jasypt class EncryptableProperties, this is handled for you without any additional work. If you want to use a different method to decrypt the data, you'll need to strip ENC( and ) from the string, decode the Base64 contents to raw bytes, and then use a Cipher which is configured with the same encryption key as derived by Jasypt.
Related
Good day, I have used google/tink to encrypt a password for storing in a DB using these steps :
// 1. Generate the key material.
KeysetHandle keysetHandle =
KeysetHandle.generateNew(AeadKeyTemplates.AES128_GCM);
// 2. Get the primitive.
Aead aead = AeadFactory.getPrimitive(keysetHandle);
// 3. Use the primitive to encrypt a plaintext,
byte[] ciphertext = aead.encrypt(plaintext, aad);
It basically converts password into the bytes, but when i convert it into string to store into the DB, It stores the encrypted password in this format : -�#~�k�D߶{�.
But i want to store the password in the format like 11As7737Cs9ue9oo09 using tink encryption.
Is there any way to do it?
Manish, you might not want to encrypt the passwords. You want to hash them. Tink doesn't support password hashing yet, but we can add support if there's enough interest.
Could you please file for a feature request at https://github.com/google/tink/issues/new?
I agree with everyone here that you SHOULD NOT store passwords in the clear.
However, to answer your question because I think it's a common problem when you get some cipher text and the string is unreadable. Say you wanted to store non password data encrypted, and readable. You would need to Base64 encode your cipher text.
When you retrieve your Base64 encoded data back from the database, you would then need to Base64 decode the String and then run it through your decryption process. Building on your example,
String readable = new String(java.util.Base64.getEncoder().encode(cipherText));
byte[] bytesToDecrypt = java.util.Base64.getDecoder().decode(readable.getBytes());
I'm using java-aes-crypto for encrypting strings in android. After generating key using this code
AesCbcWithIntegrity.SecretKeys keys = AesCbcWithIntegrity.generateKey();
and I'm saving it as String(.toString()) in a file and after that I'm trying to retrieve it from that file and convert it to the same object. How can I do that?
Use the following static method in the AesCbcWithIntegrity class (link):
/**
* An aes key derived from a base64 encoded key. This does not generate the
* key. It's not random or a PBE key.
*
* #param keysStr a base64 encoded AES key / hmac key as base64(aesKey) : base64(hmacKey).
* #return an AES and HMAC key set suitable for other functions.
*/
public static SecretKeys keys(String keysStr) throws InvalidKeyException {...}
It properly parses the previously serialized keys into the encryption key and the integrity key.
On going through the link,one can see that you need to use the following code to convert the encrypted String into the desired one.
//Use the constructor to re-create the CipherTextIvMac class from the string:
CipherTextIvMac cipherTextIvMac = new CipherTextIvMac (cipherTextString);
String plainText = AesCbcWithIntegrity.decryptString(cipherTextIvMac, **keys**);
The keys is the same key that was used while encryption.
As you can see, you need to store the key to decrypt it. The link also provides the precaution to store the key
Once you've generated a random key, you naturally might want to store
it. This may work for some use cases, but please be aware that if you
store the key in the same place that you store the encrypted data,
your solution is not cryptographically sound since the attacker can
just get both the key and the encrypted text. Instead, you should use
either the Keystore infrastructure or consider generating the key from
a passphrase and using that to encrypt the user data.
If despite the above you still want to store the key, you can convert
the keys to a string using the included functions and store them in
preferences or SQLite.
I have a token in String format such as:
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.K52jFwAQJH-DxMhtaq7sg5tMuot_mT5dm1DR_01wj6ZUQQhJFO02vPI44W5nDjC5C_v4pW1UiJa3cwb5y2Rd9kSvb0ZxAqGX9c4Z4zouRU57729ML3V05UArUhck9ZvssfkDW1VclingL8LfagRUs2z95UkwhiZyaKpmrgqpKX8azQFGNLBvEjXnxxoDFZIYwHOno290HOpig3aUsDxhsioweiXbeLXxLeRsivaLwUWRUZfHRC_HGAo8KSF4gQZmeJtRgai5mz6qgbVkg7jPQyZFtM5_ul0UKHE2y0AtWm8IzDE_rbAV14OCRZJ6n38X5urVFFE5sdphdGsNlA.gjI_RIFWZXJwaO9R.oaE5a-z0N1MW9FBkhKeKeFa5e7hxVXOuANZsNmBYYT8G_xlXkMD0nz4fIaGtuWd3t9Xp-kufvvfD-xOnAs2SBX_Y1kYGPto4mibBjIrXQEjDsKyKwndxzrutN9csmFwqWhx1sLHMpJkgsnfLTi9yWBPKH5Krx23IhoDGoSfqOquuhxn0y0WkuqH1R3z-fluUs6sxx9qx6NFVS1NRQ-LVn9sWT5yx8m9AQ_ng8MBWz2BfBTV0tjliV74ogNDikNXTAkD9rsWFV0IX4IpA.sOLijuVySaKI-FYUaBywpg
Now I want to decrypt this String through some java library and ultimately want to access the payload. Anyone done this so far ?
The assertion you shared with us is a JWE serialized in its compact representation. It has 5 parts separated by a dot (.) which are:
Part 1: the header (eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ)
Part 2: the encrypted key - depending on the algorithm, it may be an empty string - (K52jFwAQJH-DxMhtaq7sg5tMuot_mT5dm1DR_01wj6ZUQQhJFO02vPI44W5nDjC5C_v4pW1UiJa3cwb5y2Rd9kSvb0ZxAqGX9c4Z4zouRU57729ML3V05UArUhck9ZvssfkDW1VclingL8LfagRUs2z95UkwhiZyaKpmrgqpKX8azQFGNLBvEjXnxxoDFZIYwHOno290HOpig3aUsDxhsioweiXbeLXxLeRsivaLwUWRUZfHRC_HGAo8KSF4gQZmeJtRgai5mz6qgbVkg7jPQyZFtM5_ul0UKHE2y0AtWm8IzDE_rbAV14OCRZJ6n38X5urVFFE5sdphdGsNlA)
Part 3: the initialisation vector - IV depending on the algorithm, it may be an empty string - (gjI_RIFWZXJwaO9R)
Part 4: the cyphertext (oaE5a-z0N1MW9FBkhKeKeFa5e7hxVXOuANZsNmBYYT8G_xlXkMD0nz4fIaGtuWd3t9Xp-kufvvfD-xOnAs2SBX_Y1kYGPto4mibBjIrXQEjDsKyKwndxzrutN9csmFwqWhx1sLHMpJkgsnfLTi9yWBPKH5Krx23IhoDGoSfqOquuhxn0y0WkuqH1R3z-fluUs6sxx9qx6NFVS1NRQ-LVn9sWT5yx8m9AQ_ng8MBWz2BfBTV0tjliV74ogNDikNXTAkD9rsWFV0IX4IpA)
Part 5: the Additional Authentication Data - AAD - (sOLijuVySaKI-FYUaBywpg)
The header indicates at least the
Key Encryption Algorithm (alg) used to encrypt the content encryption key (CEK)
Content Encryption Algorithm (enc) used in conjunction with the CEK to encrypt the content.
In your case, The alg is RSA-OAEP and the enc is A128GCM.
According to these algorithm, you should have a RSA private key to decrypt the CEK and then use it to decrypt the cyphertext.
https://jwt.io mentioned in the accepted answer will not be useful as it does not support JWE, but JWS. The result shown with a JWE input will not give you the decrypted payload.
However, the https://connect2id.com/products/nimbus-jose-jwt resource will help you as it seems that the algorithms used for your token are supported.
You probably don't necessarily need a library:
String token = eyJ....;
String[] splitToken = JWTEncoded.split("\\.");
// splitToken[0] is the header, splitToken[1] is the payload and
// splitToken[2] is the signature
byte[] decodedBytes = Base64.decode(splitToken[1], Base64.URL_SAFE);
// You don't have to convert it to string but it really depends on what type
// data you expect
String payload = new String(decodedBytes, "UTF-8");
https://jwt.io has a nice little decrypter for you to test data
In regards to JWE the only library I could find is this and an example to unencrypted JWE tokens can be found at the bottom of this page.
Note: I haven't tested this library so I won't be of much use beyond this, but it seems fairly straight forward.
It's for a desktop app, so only I want basic login security and I though to use one function to encrypt password and another which I pass pass password from UI and hash save into db and returns true o false depends on if matches or not.
I try to use pooled version from official jasypt website, and I can encrypt but I don't know how to decrypt it.
//Function to encrypt password
public static String cifrarClave(String clave) {
PooledStringDigester digester = new PooledStringDigester();
digester.setPoolSize(4);
digester.setAlgorithm("SHA-1");
digester.setIterations(50000);
digester.setSaltSizeBytes(32);
//String return is hash that I save into db
return digester.digest(clave);
}
//Function to decrypt password
//clave is old plain that user enter from UI and I want to compare from hash save it into db
public static boolean validarClave(String clave, String hash) {
PooledStringDigester digester = new PooledStringDigester();
digester.setPoolSize(4);
digester.setAlgorithm("SHA-1");
digester.setIterations(50000);
String digest = digester.digest(clave);
//Always fails at that point, I get different hash from compare clave
return digester.matches(digest, hash);
}
I'm a newbie in security, so I don't know much about security, I accept other suggestions or alternatives, I only want a working example.
You're using the jasypt's matches(message, digest) function incorrectly when you are calling it with two hash digests instead of the plaintext message and the previously computed digest.
In your validarClave(), you're first unnecessarily computing a digest from the user's plaintext password (clave) which you then pass to the matcher:
String digest = digester.digest(clave);
//Always fails at that point, I get different hash from compare clave
return digester.matches(digest, hash);
Your method will work correctly if you simply pass the plaintext password to the matcher, as follows:
digester.matches(clave, hash);
More info is available at jasypt's javadocs and code examples.
I've implemented a security system in my app with RSA.
I've generated the public and private keys using Keyczar Tool. Using just keyczar I can encrypt with public key and decrypt with private key with no problems at all.
I want to encrypt some data in JS and then pass it to Java. For this I'm trying to use this library (https://github.com/ziyan/javascript-rsa) but I'm not being able to encrypt the data or at least not encrypting the data correctly (it's bigger than with keyczar).
How can I encrypt with this tool using my public key? Can anyone help me?
There is not a javascript client for keyczar, so if you want to produce ciphertext consumable by keyczar.
Look at the keyczar public key format you will need to provide the public key info from your server to your javascript encryptor.
http://code.google.com/p/keyczar/wiki/RsaPublicKey
Alternatively, it looks like your javascript library will read PEM format. You can use the KeyczarTool to export your public key in PEM format with the export.
Look at the Keyczar ciphertext format for rsa
http://code.google.com/p/keyczar/wiki/CiphertextFormat
You'll need to prepend the header to your ciphertext generate with the javascript.
Technically you need to produce a keyhash to append a proper header, but a given header will always be identical for a given key regardless of the ciphertext, so you could just provide it with your public key generated by the java keyczar code.