You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by "Andrew H. Peterson" <ap...@e-gineering.com> on 2002/03/08 03:36:22 UTC

Struts and encryption

Is there a struts preferred method of handling encryption/decryption?   I am
authenticating users via a database lookup.  I want to store the encrypted
password in the database.

If struts doesn't have a preferred method of encryption/decryption, can
someone point me to a good Java API for  encryption/decryption?

Thanks.

ahp



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Struts and encryption

Posted by Bryan Field-Elliot <br...@netmeme.org>.

Many database have their own extensions for encryption, or one-way
hashing, used for things like password storage. That's probably the best
choice you could make.

Bryan

On Thu, 2002-03-07 at 19:36, Andrew H. Peterson wrote:

    Is there a struts preferred method of handling encryption/decryption?   I am
    authenticating users via a database lookup.  I want to store the encrypted
    password in the database.
    
    If struts doesn't have a preferred method of encryption/decryption, can
    someone point me to a good Java API for  encryption/decryption?
    
    Thanks.
    
    ahp
    
    
    
    --
    To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
    For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Struts and encryption

Posted by Aamir Saalam <as...@cisco.com>.

For Password encryption (which is one way, you can never get back the original password, given the encrypted string), there's one
called JCrypt.


For more info. see:

http://www.dynamic.net.au/christos/crypt/Password.txt


--aamir

-----Original Message-----
From: Andrew H. Peterson [mailto:apeterson@e-gineering.com]
Sent: Thursday, March 07, 2002 6:36 PM
To: Struts User Forum (E-mail)
Subject: Struts and encryption


Is there a struts preferred method of handling encryption/decryption?   I am
authenticating users via a database lookup.  I want to store the encrypted
password in the database.

If struts doesn't have a preferred method of encryption/decryption, can
someone point me to a good Java API for  encryption/decryption?

Thanks.

ahp



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Struts and encryption

Posted by Hitesh Bagchi <Hi...@ushacomm.co.in>.

Hi Tim,
We were faced with a similar dilemma in our app. This is finally what we did :
1. We used MD5 hash to encrypt the password and insert it into the DB.
2. On login user entered password is hashed and matched with the password in the
DB.
3. If user forgets his/her password and performs a Change Password then his/her
password is reset.
This is what we do to reset password :
1. On performing Change Password a 32 byte hash key is generated using the user's
UserID and the current timestamp. The first 8 characters is sent to the user in a
mail as his new password and those 8 characters are re-hashed into a 32 byte hash
key and the user's password in the DB is updated with that value.
Hope this helps.

Regards,
Hitesh


Tim Strong wrote:

> I did some quick research on this recently.
>
> I struggled between choosing any of the following:
>
> 1. encode/decode password using Java
> 2. encode/decode password using database specific methods
> 3. hashing the password
>
> After doing quite a bit of research on the 'net (java.sun.com mostly), I
> decided to use #3, using a message digest and MD5 hashing.  This is a
> one-way hash, almost impossible to decode.  To authenticate the user, I
> hash the password entered from the login form using this same method and
> compare that with the password hash stored in the database.
>
> Regarding decrypting the password, based on what I have read, I decided
> that no one, not even the database administrator, should be able to
> decrypt the user's password.
>
> The following is the method that I use to hash the password.
>
> public static byte[] encodePassword(byte[] unencodedPassword) {
>         log.trace("encodePassword() - Entering");
>
>         MessageDigest md = null;
>         try {
>                 // first create an instance, given the provider
>                 md = MessageDigest.getInstance("MD5");
>         } catch (Exception e) {
>                 log.error("Exception: ", e);
>         }
>
>         md.reset();
>
>         // call the update method one or more times
>         // (useful when you don't know the size of your data, eg.
> stream)
>         md.update(unencodedPassword);
>
>         // now calculate the hash
>         byte[] encodedPassword = md.digest();
>
>         StringBuffer buf = new StringBuffer();
>
>         for (int i=0; i < encodedPassword.length; i++) {
>                 if (((int) encodedPassword[i] & 0xff) < 0x10) {
>                         buf.append("0");
>                 }
>                 buf.append(Long.toString((int) encodedPassword[i] &
> 0xff, 16));
>         }
>         log.debug("encodePassword() - Encoded Password:\t" + buf);
>
>         log.trace("encodePassword() - Exiting");
>         return(encodedPassword);
> }
>
> If the user forgets the password, I am still struggling with what to do,
> probably one of the following or both:
>
> 1. reset the password and mail the new password to the user
> 2. reset the password and present it to them within the browser
>
> Both methods I will force the user to change their password the next
> time they login
>
> I'm not an expert in Java security, so I would be interested in any
> comments.
>
> -Tim
>
> -----Original Message-----
> From: Andrew H. Peterson [mailto:apeterson@e-gineering.com]
> Sent: Thursday, March 07, 2002 9:36 PM
> To: Struts User Forum (E-mail)
> Subject: Struts and encryption
>
> Is there a struts preferred method of handling encryption/decryption?
> I am
> authenticating users via a database lookup.  I want to store the
> encrypted password in the database.
>
> If struts doesn't have a preferred method of encryption/decryption, can
> someone point me to a good Java API for  encryption/decryption?
>
> Thanks.
>
> ahp
>
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Struts and encryption

Posted by Tim Strong <ti...@k2cy.com>.

I did some quick research on this recently.

I struggled between choosing any of the following:

1. encode/decode password using Java
2. encode/decode password using database specific methods
3. hashing the password

After doing quite a bit of research on the 'net (java.sun.com mostly), I
decided to use #3, using a message digest and MD5 hashing.  This is a
one-way hash, almost impossible to decode.  To authenticate the user, I
hash the password entered from the login form using this same method and
compare that with the password hash stored in the database.

Regarding decrypting the password, based on what I have read, I decided
that no one, not even the database administrator, should be able to
decrypt the user's password.

The following is the method that I use to hash the password.

public static byte[] encodePassword(byte[] unencodedPassword) {
	log.trace("encodePassword() - Entering");

	MessageDigest md = null;
	try {
		// first create an instance, given the provider
		md = MessageDigest.getInstance("MD5");
	} catch (Exception e) {
		log.error("Exception: ", e);
	}

	md.reset();

	// call the update method one or more times 
	// (useful when you don't know the size of your data, eg.
stream)
	md.update(unencodedPassword);

	// now calculate the hash
	byte[] encodedPassword = md.digest();

	StringBuffer buf = new StringBuffer();

	for (int i=0; i < encodedPassword.length; i++) {
		if (((int) encodedPassword[i] & 0xff) < 0x10) {
			buf.append("0");
		}
		buf.append(Long.toString((int) encodedPassword[i] &
0xff, 16));
	}
	log.debug("encodePassword() - Encoded Password:\t" + buf);

	log.trace("encodePassword() - Exiting");
	return(encodedPassword);
}


If the user forgets the password, I am still struggling with what to do,
probably one of the following or both:

1. reset the password and mail the new password to the user
2. reset the password and present it to them within the browser

Both methods I will force the user to change their password the next
time they login

I'm not an expert in Java security, so I would be interested in any
comments.

-Tim


-----Original Message-----
From: Andrew H. Peterson [mailto:apeterson@e-gineering.com] 
Sent: Thursday, March 07, 2002 9:36 PM
To: Struts User Forum (E-mail)
Subject: Struts and encryption

Is there a struts preferred method of handling encryption/decryption?
I am
authenticating users via a database lookup.  I want to store the
encrypted password in the database.

If struts doesn't have a preferred method of encryption/decryption, can
someone point me to a good Java API for  encryption/decryption?

Thanks.

ahp



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>