Our security department wants us to use 256-bit encryption to encrypt SSN, Names of Users etc, so we decided to go with JASYPT with the sample code below:
encryptor = new StandardPBEStringEncryptor();
encryptor.setProvider(new BouncyCastleProvider());
encryptor.setAlgorithm("PBEWITHSHA256AND256BITAES-CBC-BC");
encryptor.setPassword(OUR_KEY)
encryptor.encrypt("TEXT TO ECNCRYPT")
The problem we noticed is when our application creates an encrypted record from our local machine, the application on the app-dev server cannot decrypt it and vice versa even though the key is same. It seems like JASYPT is adding some machine specific information in the salt (Mac address etc).
Even using FixedStringSaltGenerator or ZeroSaltGenerator does not help. This creates a problem for us because if we ever migrated our production server to another machine, or refreshed pre-prod data with the prod data, we may need a couple of million years to recover the information.
The security department wants us to use a well know library and not brew an in-house solution. Can someone please throw some light on this issue on how we can generate encrypted string that can be decrypted across different machines using jasypt 256 bit encryption, or when we refresh pre-prod database with prod data, how we would be able to recover names etc that were encrypted through a different server?
Any useful insights will be greatly appreciated.
your key might be containing some special characters which shell substitute with something else.
do a echo "yourkey" > file
and check the content of this file.
then use this content as a key to decrypt; it should be able to decrypt the encrypted string.
I know this is a pretty old question but I recently experienced this issue and the resolution for me had nothing to do with the differences in machine operating system endianness.
It had to do with a character in the password itself, the dollar sign character ($), that was somehow considered to be a special character in Linux vs not being considered special in Windows. So everything worked fine encrypting the values in Windows, but when I swapped over to Linux and tried to decrypt the values with the same password using the jasypt command line decrypt.sh script, I got the error message "Operation not possible (Bad input or parameters)" and noticed that the password in the jasypt decrypt output arguments list was different than the one I had typed in (the script apparently chopped off the part of the password from the special character until the end of the password string).
Anyway, my solution was to change the password to not use a special character and then it worked. Hope this helps some poor soul who happens to run across this same issue in future, because I wasted 2 days on it.
use single quotes instead of double quotes to wrap your input string. This solution worked when i had a issue with encryption and decryption of string with $.
Related
I'm coding a java program, using the JDMK 5.1 toolkit, to send SNMPv3 traps and the jdmk security file (jdmk.security.file) I seem to need to create, and have in place, to do so currently has the authorization and privacy keys in the clear.
How can I cause those values, which I consider to be passwords, be secured and still be usable by the toolkit when it reads that data from the file?
The documentation says you may specify "Any text password or any hexadecimal key starting with 0x" for those values but does not elaborate.
I am trying to develop an android app in java which needs encryption. Also I want to use AES-256 for encryption. But when I look a tutorial of it, It always generates a random key. My question is: How can I decrypt a string if I encrypt it with a random key? Also I tried almost every code in web, but none of them worked, so can you provide a AES-256 encryption code with no salt and IV. If I know something wrong, please correct me and teach me the truth.
Details: I am trying to make a password manager app. App has two passwords, first one is the master password that we use for encryption string data. Second one is the passwords that we want to manage. Master password is stored in users mind. And other password will be stored in the app with encrypted version. When user wants to see his passwords he will input his master key to decrypt the encrypted passwords. So how can I do it? And user's master password will be 32 or 64 digit and I don't think we need to generate a random key. Can you show me some way? I am not native english speaker, sorry for my bad english. Thanks for help.
My question is: How can I decrypt a string if I encrypt it with a random key?
You can't. You need to save the key (somewhere). Then when you want to decrypt the file you restore the key that you used to encrypt the file and use it to decrypt.
Here is an Answer that explains how to save an AES key to a file and restore it: https://stackoverflow.com/a/7176483/139985. Notice that the example encodes the key in hexadecimal before writing it to disk.
However. Anything that entails storing an encryption key (in the clear) in a file in the file system is vulnerable. If someone or something can compromise the security of the OS / file system where the key is held, they can read the file containing the key ... and ... decrypt what ever the key has been used to protect.
A better idea is to use some kind of secure key store / vault.
My advice: if you are write an app that manages passwords for other people, you really, really need to have a deep understanding of how to do this securely. And if you don't, pay a qualified IT security professional to design and implement that aspect of your system for you.
Just reading some tutorial and asking on StackOverflow does not cut it!
It seems that I have misplaced a password for a Keystore for an Android project. I still have the keystore, but not the password. However, the password is saved in Eclipse in the Signing and Keys tab. I also have the secure_storage file within the org.eclipse.equinox.security directory, and it seems that my stored password is there, encoded. It makes sense to me that were I to use the stored password-version of the Keystore, that password would need to be decoded at some point, to be passed to the Keystore. Therefore, I'm wondering what I'd need to do to decode that myself, and retrieve the password.
Any help would be appreciated!
Tim
After much research, I have found how to recover the password from the Secure Storage. As I surmised, Eclipse must have a way to extract the saved password, otherwise it could never be used to unlock the keystore. I found this post: Eclipse password recovery which led me into the method to view the saved passwords. The only bit that took some work was actually executing the code. I didn't go the eclipse-shell path, but instead created a eclipse plugin project using that code. Note that that code will not work in a standard Java project.
Of course, the actual Secure Storage is encrypted with the OS authentication, so this would only work for decrypting the password from the machine where it was originally encrypted. The problem was never about decrypting without the proper ciphers, but about using the built-in decrypting methods to get a clean-text password.
No, you can not. It uses the operatingsystems cryptation or/and the jvms. Standard is usually some AES-256 bits and is very hard to break.
I don't think you will get any help here.
Till now, i have been creating a file (txt/excel) using buffered Writer for creating a text file and JExcel API for creating a Excel file. These files i have been creating using Java only.
Now i want to make the file password protected in both the cases, that to something like, the file can be accessed by number of people, but only selected may access it using there own login ids/password.
Is it possible to do so?..
Thanks
The answer completely depends on what way you want to open your protected files.
If it is opened by your (java) program or an application, then you can simply simply encrypt it with a password upon saving, and decrypt it with something the user provides,
and use some checksum or header to see if the result is valid - or some garbage due to bad password,
some crypto APIs will do it for you right out of the box.
Second option - if you meant encrypting files with a program (like a notepad file, or something), and you expect windows or notepad to ask you for the password, then it depends on the format of the file you use. Some can be password protected, some can not -like text files usually associated with notepad). In this case password protection works as described in the format's own documentation, and you have to research a bit, I guess it will be too much work
we can do password protection of zip files with the core Java API.
Yes, it is possible to do that, you would have to write your own encryption and decryption tool or write a plugin for excel to do the decryption.
Usually the best approach is to use the security of the OS and specify which users can read or read/write the document. This is transparent to the user and doesn't require a encryption/decryption tool.
yes it is possible. You can use either AES or DES encryption. password is nothing but the key using which the file can be be encrypted or decrypted. you can create your own listener which will prompt you for password. If you enter the password then it will take the password and try to decrypt the file
I am trying to make a multi user login system for my java program, at the moment i am compairing the username and password to md5 hashes stored in a text file. I would like to be able to geive different users different access wrights to the program, using the system i am using at the moment the accesablility would be easy to change if the text file was opend. Is there a way I could encrypt the text in the file and then unencrypt it when the user loggs in??? Thanks
You can take a look at this comprehensive Java Cryptography guide. However, I think that you would be better off with a database to store the username and password since a text file could be easily deleted or modified. Encrypting it only makes it tougher to read.
Please take a look here and here to learn about JDBC. If you want a more robust framework, you can use and ORM like hibernate. The links I have posted refer to MySQL. It is a very popular Database server and integrates well with Java. You shouldn't have any problems finding tutorials or any kind of help with MySQL.
Also have a look at JAAS to restrict access to your services (e.g. based on roles).
Md5 is a one way hash algorithmic you cant decrypt it back , best way is to compare the encrypted string to validate things
Does this help:
Java - encrypt / decrypt user name and password from a configuration file