I have Used Spring Security Crypto Module for data encryption . Now I want To Search these encrypted data from the database.But I am not getting any idea how do i search.Please Post something if you already faced that type of problem.
You'll have to decrypt it first. You cannot search encrypted data unless you've deliberately chosen homomorphic encryption and you haven't. Note that homomorphic encryption isn't used too much in practice. Normally encrypted data should be indistinguishable from random.
Related
All I want to do is use a public key to encrypt a token so that it can be decrypted on the other end using the private key.
I used the following command to create a keypair, but now I'm unsure of how to load the public key in my code in order to encrypt the token:
$ ssh-keygen -t rsa -b 4096
What java libraries do I use to load the key and use it to encrypt a String? Along with a code example, I'd also be interested in any reading materials for greater understanding and clarity.
I found a good example in Java (and many other languages) of encrypting a SSO token in the uservoice/developer docs. I pasted the Java code on Pastebin (hope uservoice does not mind!) as it is a little too long to paste here.
On another note... I would suggest you have a look at JWT tokens and OAuth for authorization.
I suggest using jose4j if your token is a JWT and you don't actually want to encrypt it, but just sign it!
Tokens don't really need to be encrypted in certain architectures as they only reveal non-sensitive information for the most part (what you can access, when, for how long)... security lies not in making it hard to read the token, but in making it very hard to get access to the token in the first place! Once an attacker gets access to a token, there's not much you can do as the attacker is more interested in using the token (which he/she can do unless there's further protection regarding the access device for example) to impersonate someone than in reading whatever the token contains (which may be nothing, as we'll see).
JWTs can be easily read by anyone as they are just URL-encoded to make transport easy... but they do need to be signed to be trusted as they are often not even saved in the authorization server (they don't need to as only the server can have signed it if the signature is valid)... and protected at the transport layer by only using HTTPS connections to send it, of course.
To load a RSA public/private key in pure Java, see the answer to this question.
To sign and check a JWT's signature, check this page in the jose4j wiki.
If you want your token to stay completely secret, then use an opaque token which doesn't contain any information at all by itself, but points to the actual information the token is supposed to represent, which only the server which generates it can access, so your information is never even exposed directly... opaque tokens are normally just a long UUID.
If you are interested in knowing more about tokens and authorization/authentication, I recommend having a look at the Nordic APIs blog, which contains a lot of articles and links to great open source resources you can use.
Disclaimer: I work for a company that sponsors Nordic APIs.
I'm exploring an option to store encrypted data to S3. My backend is build with Java and I'm already using JetS3t library for some simple S3 storage manipulations. So, my question is: How to use JetS3t with S3's Server Side Encryption with customer-provided keys (SSE-C) to store files in encrypted format on S3?
I tried to look through the Programmer's Guid for JetS3t but didn't find anything concrete in that regards.
According to the docs here http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html, you need to add the following headers in your request:
x-amz-server-side-encryption-customer-algorithm Use this header to specify the encryption algorithm. The header value must be "AES256".
x-amz-server-side-encryption-customer-key Use this header to provide the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
x-amz-server-side-encryption-customer-key-MD5 Use this header to provide the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.
If you use the Amazon Java SDK, doing this is easy and examples are provided in their documentation. But to do so using JetS3t, you can do the following:
Assuming s3Object is the object you are trying to put on S3, call the following for each of the above mentioned headers with appropriate values.
s3Object.addMetadata("<header>", "<header_value>")
We have been developing a GWT application witch controls user login / relogin via simple user / pass form hashing the passwords in SHA-256. The passwords are stored in SHA-256 in the database (Hibernate over PostgreSQL). No plain text anywhere.
Once deployed, in the login process server returns error saying that no SHA-256 algorithm was found. The provider (MessageDigest from SUN) is in the java.security properties. The same version of JDK is being used in development and production server.
After doing my homework and searching here I've found a lot of questions, but all of them related to Realm login with SHA-256 digest.
I'm new to Tomcat so, what's the best practice here? Delegate login / roles in Tomcat? Or keep webapp simple login and fix SHA-256 problem (how!)?
Best regards
Ok! Finally I've noticed that GWT's MessageDigest implementation in compiled mode only supports MD5 algorithm, so SHA-256 is not compatible. During DevMode it's using the standard Java MessageDigest which also supports SHA-256.
Best regards
I am going to develop an application with Spring framework and JSP as follows:
1) When the client enters any text and presses encrypt button, the data should be encrypted at the client side, but that encryption should be done using eToken.
2) When the client uploads any file it should be stored in encrypted format in a database.
For that I searched on google but didn't find any helpful resources. We are using eToken that contains a key pair using the RSA algorithm. My problem is how to encrypt and decrypt data and files at the client side using eToken?
I am stuck here, please help me ASAP. Thanks.
Assuming that you want to do this via browser, you would need to have an ActiveX or Java applet, which will do the job. The task can not be accomplished using client-side javascript.
We developed similar solution in our SecureBlackbox product, though it works for signing at the moment (we couldn't imagine a real-life use case that would require encryption).
JFYI: To do encryption you don't need a private key but only a public key. Public key can be exported from the token to the computer.
I am designing a web application at the moment, and one of the requirements is to secure the user credentials as well as their roles. Now ofc besides the usual pwd hashing + salt +....
I was thinking of putting those specific tables in an encrypted H2 database, and the rest of the data ina MySQL db. the advantages of H2 in my case are: in-memory storage, so means faster access; encrypted db so an additional layer of security in case the server gets compromised.
My question: is this a common practice when an additional security layer is demanded? meaning is it a good idea to seperate the login info (in my case, it is the sensitive data) from the other data?
Thanks
Ok I got my answer at the security forum, for those interested this is the link https://security.stackexchange.com/questions/7062/securing-sensitive-data-in-a-db-is-using-h2-worth-it
I don't think that this really adds a relevant layer of security.
If your server is compromised and your server can verify the credentials of users, then whoever compromised your server has the necessary data to verify it as well (for example: you'd need to store the encryption key/password on the server to decrypt the DB, unless you enter it on each startup).
And: it complicates your setup quite a bit, which in itself can lead to lots of security problems ("Why can't component A read this file? Oh, I'll just make it world-readable"). Simplicity can be good for security.
If the application is very simple I think you can use only one type of database, e.g. MySql. You can hash the password before storing in the database. Note that hashing is different from encryption in that you cannot get the actual password from the hashed password. When a user tries logging in you hash the user entered password and compare the hash value that is already stored in the database. If a salt value is used then it would be extremely difficult for a hacker to get the actual password even if she has access to the hashed password.
For a more complex application I suggest using one of the ldap servers (e.g. openladp). Then you get the password policies and hashing for free.