Re: Struts and encryption
Hi Tim, We were faced with a similar dilemma in our app. This is finally what we did : 1. We used MD5 hash to encrypt the password and insert it into the DB. 2. On login user entered password is hashed and matched with the password in the DB. 3. If user forgets his/her password and performs a Change Password then his/her password is reset. This is what we do to reset password : 1. On performing Change Password a 32 byte hash key is generated using the user's UserID and the current timestamp. The first 8 characters is sent to the user in a mail as his new password and those 8 characters are re-hashed into a 32 byte hash key and the user's password in the DB is updated with that value. Hope this helps. Regards, Hitesh Tim Strong wrote: I did some quick research on this recently. I struggled between choosing any of the following: 1. encode/decode password using Java 2. encode/decode password using database specific methods 3. hashing the password After doing quite a bit of research on the 'net (java.sun.com mostly), I decided to use #3, using a message digest and MD5 hashing. This is a one-way hash, almost impossible to decode. To authenticate the user, I hash the password entered from the login form using this same method and compare that with the password hash stored in the database. Regarding decrypting the password, based on what I have read, I decided that no one, not even the database administrator, should be able to decrypt the user's password. The following is the method that I use to hash the password. public static byte[] encodePassword(byte[] unencodedPassword) { log.trace(encodePassword() - Entering); MessageDigest md = null; try { // first create an instance, given the provider md = MessageDigest.getInstance(MD5); } catch (Exception e) { log.error(Exception: , e); } md.reset(); // call the update method one or more times // (useful when you don't know the size of your data, eg. stream) md.update(unencodedPassword); // now calculate the hash byte[] encodedPassword = md.digest(); StringBuffer buf = new StringBuffer(); for (int i=0; i encodedPassword.length; i++) { if (((int) encodedPassword[i] 0xff) 0x10) { buf.append(0); } buf.append(Long.toString((int) encodedPassword[i] 0xff, 16)); } log.debug(encodePassword() - Encoded Password:\t + buf); log.trace(encodePassword() - Exiting); return(encodedPassword); } If the user forgets the password, I am still struggling with what to do, probably one of the following or both: 1. reset the password and mail the new password to the user 2. reset the password and present it to them within the browser Both methods I will force the user to change their password the next time they login I'm not an expert in Java security, so I would be interested in any comments. -Tim -Original Message- From: Andrew H. Peterson [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 07, 2002 9:36 PM To: Struts User Forum (E-mail) Subject: Struts and encryption Is there a struts preferred method of handling encryption/decryption? I am authenticating users via a database lookup. I want to store the encrypted password in the database. If struts doesn't have a preferred method of encryption/decryption, can someone point me to a good Java API for encryption/decryption? Thanks. ahp -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Struts and encryption
I did some quick research on this recently. I struggled between choosing any of the following: 1. encode/decode password using Java 2. encode/decode password using database specific methods 3. hashing the password After doing quite a bit of research on the 'net (java.sun.com mostly), I decided to use #3, using a message digest and MD5 hashing. This is a one-way hash, almost impossible to decode. To authenticate the user, I hash the password entered from the login form using this same method and compare that with the password hash stored in the database. Regarding decrypting the password, based on what I have read, I decided that no one, not even the database administrator, should be able to decrypt the user's password. The following is the method that I use to hash the password. public static byte[] encodePassword(byte[] unencodedPassword) { log.trace(encodePassword() - Entering); MessageDigest md = null; try { // first create an instance, given the provider md = MessageDigest.getInstance(MD5); } catch (Exception e) { log.error(Exception: , e); } md.reset(); // call the update method one or more times // (useful when you don't know the size of your data, eg. stream) md.update(unencodedPassword); // now calculate the hash byte[] encodedPassword = md.digest(); StringBuffer buf = new StringBuffer(); for (int i=0; i encodedPassword.length; i++) { if (((int) encodedPassword[i] 0xff) 0x10) { buf.append(0); } buf.append(Long.toString((int) encodedPassword[i] 0xff, 16)); } log.debug(encodePassword() - Encoded Password:\t + buf); log.trace(encodePassword() - Exiting); return(encodedPassword); } If the user forgets the password, I am still struggling with what to do, probably one of the following or both: 1. reset the password and mail the new password to the user 2. reset the password and present it to them within the browser Both methods I will force the user to change their password the next time they login I'm not an expert in Java security, so I would be interested in any comments. -Tim -Original Message- From: Andrew H. Peterson [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 07, 2002 9:36 PM To: Struts User Forum (E-mail) Subject: Struts and encryption Is there a struts preferred method of handling encryption/decryption? I am authenticating users via a database lookup. I want to store the encrypted password in the database. If struts doesn't have a preferred method of encryption/decryption, can someone point me to a good Java API for encryption/decryption? Thanks. ahp -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Struts and encryption
Is there a struts preferred method of handling encryption/decryption? I am authenticating users via a database lookup. I want to store the encrypted password in the database. If struts doesn't have a preferred method of encryption/decryption, can someone point me to a good Java API for encryption/decryption? Thanks. ahp -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Struts and encryption
For Password encryption (which is one way, you can never get back the original password, given the encrypted string), there's one called JCrypt. For more info. see: http://www.dynamic.net.au/christos/crypt/Password.txt --aamir -Original Message- From: Andrew H. Peterson [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 07, 2002 6:36 PM To: Struts User Forum (E-mail) Subject: Struts and encryption Is there a struts preferred method of handling encryption/decryption? I am authenticating users via a database lookup. I want to store the encrypted password in the database. If struts doesn't have a preferred method of encryption/decryption, can someone point me to a good Java API for encryption/decryption? Thanks. ahp -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Struts and encryption
Many database have their own extensions for encryption, or one-way hashing, used for things like password storage. That's probably the best choice you could make. Bryan On Thu, 2002-03-07 at 19:36, Andrew H. Peterson wrote: Is there a struts preferred method of handling encryption/decryption? I am authenticating users via a database lookup. I want to store the encrypted password in the database. If struts doesn't have a preferred method of encryption/decryption, can someone point me to a good Java API for encryption/decryption? Thanks. ahp -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]