I want my jdbcRealm to not use any Digest Algorithm in Glassfish. I want the jdbcRealm to compare against the database without converting password with any algorithm.
My password in the database is MD5 and I convert the user's password to md5 in java code and then use the code:
FacesContext context = FacesContext.getCurrentInstance ();
HttpServletRequest request = (HttpServletRequest) context.getExternalContext (). GetRequest ();
request.login (username, md5Password);
So can I remove the Digest Algorithm so my jdbcRealm compare plain text without any algorithm?
I know I can send the user's password in plain text and the jdbcrealm will do the job for me, but I want to try this
Yes, yo can
Set Digest algorithm none
Related
I wrote an app that queries a Jira API which requires authentication that I provide through Basic Authentication (base64 in the header). The password was stored in the code which has to stop now because I want to hand over the code.
When the users changes their passwords due to the password schedule, the app should prompt the user for the new Jira password, save it securely, and pass it to the Jira API via Basic Authentication.
What's the best way to do this?
Normally, we would hash it but that's not possible because hashing is one-way direction and we need to pass in the real password to Jira instead of a hash.
In case of storing a string which needs to be protected in case of breaches or as a general software data security concern, encryptions should be done. For example, in your case, when the password is taken by the user then it shall be encrypted by the software before storing. While retrieving, the password is decrypted and converted to the hash(or base64) which Jira accepts for the login handshake.
Apart from the simply encrypting and decrypting, a better approach will be to use salts while encrypting and using multiple encryptions in the loop to avoid brute force attempts.
Pseudocode:
unsafe_password = getPasswordFromUser()
salt = getRandomString();
safePassword = encrypt(unsafe_password, salt, key)
// Store the password
putEntryInDB(user, safePassword, salt)
// Retrieve password
[passwordSalt, encryptedPassword] = getSaltAndEncryptedPasswordFromDB()
unsafePassword = decrypt(encryptedPassword, passwordSalt, key)
// Now login into Jira with the actual user's password (unsafePassword)
P.S. You'll be needing to store a key in the code or in some software's configuration.
Source: Attempt 4&5 https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
I'm trying to do a login method that keeps the client password secure and encrypted in my server.
The library I'm using from Angular, is https://github.com/middleout/angular-cryptography
The idea is, to follow these steps:
I set a salt in my module.config:
app.config(['$cryptoProvider', function($cryptoProvider){
$cryptoProvider.setCryptographyKey('thisismysalt');
}]);
I encrypt the password with itself:
user.pw = $crypto.encrypt(user.pw, user.pw);
If I'm registering an user, I re-encrypt the password with itself (repeat step 2) and save it in the DB. If I'm logging, I just send the result from the last step, to the server.
When you decypher the double-encrypted string with the single-encrypted one, you get the single encrypted string again. So if your password was correct, you just compare the result with the single-encrypted string, and you validate the user.
Ok, this method should work (I already did it in Node some time ago), works great with SSL to protect user's passwords even in your server!
But I can't find any library or snippet in Java that can do it. I tried many of them, but they are hard to understand and when I adapt them to my procedure, they just won't work. I tried the following method:
static String IV = "AAAAAAAAAAAAAAAA";
static String plaintext = "test text 123\0\0\0"; /*Note null padding*/
static String encryptionKey = "0123456789abcdef";
public static String decrypt(byte[] cipherText, String encryptionKey) throws Exception{
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding", "SunJCE");
SecretKeySpec key = new SecretKeySpec(encryptionKey.getBytes("UTF-8"), "AES");
cipher.init(Cipher.DECRYPT_MODE, key,new IvParameterSpec(IV.getBytes("UTF-8")));
return new String(cipher.doFinal(cipherText),"UTF-8");
}
I passed it as first argument, the double-encrypted password from the DB, and as second argument, the single-encrypted password from the frontend:
java.security.InvalidKeyException: Invalid AES key length: 44 bytes
Am I doing something wrong? Should I use a different algorithm?
middleout/angular-cryptography uses CryptoJS 3.1.2 under the hood with the least effort possible.
So
return $crypto.encrypt(plaintext, password);
is the same as
$cryptoProvider.setCryptographyKey(password);
return $crypto.encrypt(plaintext, password);
and the same as
return CryptoJS.AES.encrypt(plaintext, password).toString();
I describe in my answer here how to do the same thing in Java.
If you're using SSL/TLS, there is not much benefit to doing this encryption additionally. The password is already sent in an encrypted way over the internet. Even worse, since the password must be available at the server side, you must store the password in cleartext. That's not how it is done.
You need to use hashing instead with some strong ones being PBKDF2, bcrypt, scrypt and Argon2. Since hash functions are one-way function, you won't be able to "decrypt" the hashes. In order to authenticate your user, you can run the password through the hash function again in order to compare with the hash that is stored in the database. Since you're already using SSL/TLS, the password is already secured during transmission. See more: How to securely hash passwords?
I want to encrypt my password after created user and persist it inside the DB. I write password to "password field" and press "Save button". Then I use this library
For encryption
BasicPasswordEncryptor passwordEncryptor = new BasicPasswordEncryptor();
String encryptedPasword = passwordEncryptor.encryptPassword(myPasword);
user = new User();
user.setUsername(username);
user.setUserRole(role);
user.setFistname(firstname);
user.setLastname(lastname);
user.setGroupId(group);
user.setBssLogin(login);
user.setBssPassword(encryptedPasword);
dao.addCrmUser(user);
After that, I have a new encrypted password inside my DB.
On the server side, I get the user and try to decrypt the password
String login = user.getLogin();
String password = user.getPassword();
String dencryptPassword = encryptor.**NOT_METHOD_FOR_IT**(password);
I need the original password, which is set inside another system.
How can I do this with my current library ?
I fount this and another libraries in Github that use some key but I do not know what is better and/or faster.
You do not decrypt the password from the database to verify it.
You encrypt the password received from the user when trying to login, and compare that encrypted value with the value in the database. Good password encryption is really a hash function, which is not reversible, for security.
The BasicPasswordEncryptor() in jasypt does despite it's name, not encrypt the password, but hashes the password using a one-way-hash (A big tell, is that the method don't require an encryption key).
You can't get the password back after this process, and the password is verified using the checkPassword(String plainPassword, String encryptedPassword) methode.
If you really need to be able to decrypt the password, you need to use another way to do real encryption when encrypting it. This raises the need for handling of encryption keys, which might introduce just as many problems than it sorts (where to store them etc.)
I am working on an implementation of javamail in my current program. The testmails are sent successfully if I predefine the credentials directly in the code or if I write it via text/password Fields, but I want it more userfriendly. I'm using a MySQL DB for my program where I could store the smtp password but for security reasons I don't want it in cleartext and the only option I know would be a synchronous encryption and use the users login password as the security password.
Are there any other options to store the password safely or even a other option that the user doesn't need to enter his password all the time?
For sure, this will only be an option via checkbox for saving credentials, if the user doesn't want this he has to write it all the time.
Thanks for helping.
Store the password encrypted (hashed) in the database. Encrypt with the libs of Apache Common for example:
String password = "PASSWORD_TO_ENCRYPTED";
String salted = password + username; //salt the password value, using the username is only an example
String hash = DigestUtils.sha256Hex(salted.getBytes("UTF-8"));
If you want to check if a given password is correct, salt it and hash it same way.. and compare the hash strings with the value stored in the database.
I have a Java application running on Jboss AS. I'm coding ios application and I need code for authentication in it.
Is it will be good possible way using REST service on Java app that will be check userName and hash of password.
Now I'm try this:
On Java I write REST method:
#GET
#Path("/checkAuth/{userName}/{passHash}")
#Produces("application/json")
public AuthResult checkAuth(#PathParam("userName") String userName, #PathParam("passHash") String passwordHash) {
// code for checking hash of Password with that in SQL base
}
On IOS app:
NSString *authRequest = [ NSString stringWithFormat: pathToRestWithParams, login, md5PassHash];
NSURL *restURL = [NSURL URLWithString:authRequest];
NSMutableURLRequest *restRequest = [NSMutableURLRequest requestWithURL:restURL cachePolicy:NSURLRequestReloadIgnoringCacheData timeoutInterval:180];
NSHTTPURLResponse *response = nil;
NSError *restError = nil;
NSData *authResult = [NSURLConnection sendSynchronousRequest:restRequest returningResponse:&response error:&restError];
Is it secure?
I want to add Java code that will be returned Session Key (Generated on Java app) for any user. This session key will be send with REST request for updating data from ios app.
Is it more secure?
My Opinion is NO, because it is more vulnerable to man in middle attacks by stealing session id, Also MD5 is outdated now you can use SHA-256 or 512 for hashing and salted password hashing will improve the security.
Refer this link for more secure hashing
For good security you need to apply encryption like AES-256 to your payload , especially for authentication service and other sensitive data transmission.
Refer This link for more about java-iOS AES encryption-decryption