0

I generate a key and use the doFinal() from the cipher class to encrypt the password/username, now, when the user wants to login he inputs UN and PW then I take them what is the process I need to do so I compare the input to the database I saved the encrypted data in?

Writing this question I feel stupid but the truth is I am really new to this and my information could be remote from right so please move on to explaining and pass the what are you talking about part.

now the code I used :

 public class Safety {
    public static Users encryptUser(Users user){
        Users usera=user;
        try {
            KeyGenerator kg = KeyGenerator.getInstance("AES/CBC/PKCS5Padding");
            Key key=kg.generateKey();
            Cipher cipher=Cipher.getInstance("AES/CBC/PKCS5Padding");
            cipher.init(Cipher.ENCRYPT_MODE, key);
            String fNE=new String(cipher.doFinal(user.getFirstname().getBytes()),"UTF-8");
            String lNE=new String(cipher.doFinal(user.getLastname().getBytes()) , "UTF-8");
            String userNameE= new String(cipher.doFinal(user.getUsername().getBytes()),"UTF-8");
            String passWordE= new String(cipher.doFinal(user.getPassword().getBytes()),"UTF-8");
            String eME= new String(cipher.doFinal(user.getEmail().getBytes()),"UTF-8");
            String sQE= new String(cipher.doFinal(user.getsQ().getBytes()),"UTF-8");
            String sAE= new String(cipher.doFinal(user.getsA().getBytes()),"UTF-8");
            Users usere=new Users(fNE, lNE, userNameE, passWordE, eME, sQE, sAE, user.getUserID());
            return usere;
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
        catch(Exception e){
            e.printStackTrace();                
        }

        return usera;
    }

    public static String decryptuser(Users user){
       //what should I do here exactly? 
    }
}

after a little of research and work this is what i have come up with :

         public class Safety {
public static final String algorithm = "PBKDF2WithHmacSHA1";
public static final int saltbytesize = 24;
public static final int hashbytesize = 24;
public static final int iterations = 1000;
public static final int iIndex = 0;
public static final int sIndex = 1;
public static final int pbkIndex = 2;
    public static Users passwordHash(Users user) throws NoSuchAlgorithmException, InvalidKeySpecException{
        SecureRandom sR=new SecureRandom();
        byte[] pws=new byte[saltbytesize];
        sR.nextBytes(pws);
        byte[] pwh=pbkdf2(user.getPassword().toCharArray(),pws,iterations,hashbytesize);
        user.setPassword(toHex(pwh));
        byte[] sas=new byte[saltbytesize];
        sR.nextBytes(sas);
        byte[] sah=pbkdf2(user.getsA().toCharArray(),sas,iterations,hashbytesize);
        user.setsA(toHex(sah));
        user.setUserhash(pws);
        user.setSahash(sas);
        return user;
    }

    public static boolean hashpassword(String username,String password,Users user) throws NoSuchAlgorithmException, InvalidKeySpecException{
        byte[] pws=user.getUserhash();
        byte[] pwh=pbkdf2(password.toCharArray(),pws,iterations,hashbytesize);
        String searcher=toHex(pwh)+username;
        String searched=user.getPassword()+user.getUsername();
        if(searcher.equals(searched)){
            return true;
        }
        return false;
     }
    private static byte[] pbkdf2(char[] password, byte[] salt, int iterations, int bytes)
            throws NoSuchAlgorithmException, InvalidKeySpecException
        {
            PBEKeySpec spec = new PBEKeySpec(password, salt, iterations, bytes * 8);
            SecretKeyFactory skf = SecretKeyFactory.getInstance(algorithm);
            return skf.generateSecret(spec).getEncoded();
        }
    private static String toHex(byte[] array)
    {
        BigInteger bi = new BigInteger(1, array);
        String hex = bi.toString(16);
        int paddingLength = (array.length * 2) - hex.length();
        if(paddingLength > 0)
            return String.format("%0" + paddingLength + "d", 0) + hex;
        else
            return hex;
    }



     }

and this is great for now how ever id like to make it work with SHA512 how can i do that?

Fahadalkadhi95
  • 65
  • 1
  • 1
  • 6
  • http://www.mkyong.com/java/jce-encryption-data-encryption-standard-des-tutorial/ – sanket Dec 27 '13 at 13:02
  • @sanket alright but that one decrypted it just as he encrypted it in the same method so the key he called myKey was still in the memory and that's in one method ...how ever in my case these are two methods each works on its own. also sometimes the application could be closed and started again so how will your link help me in that case? – Fahadalkadhi95 Dec 27 '13 at 13:10
  • I thank you for your edit sir :) – Fahadalkadhi95 Dec 27 '13 at 13:12
  • Persist my key exactly ..how? @sanket – Fahadalkadhi95 Dec 27 '13 at 13:13
  • Put it in a file....example here http://stackoverflow.com/questions/1925104/easy-way-to-store-restore-encryption-key-for-decrypting-string-in-java – sanket Dec 27 '13 at 13:15
  • Once you are done with this, I would recommend that you read through this: http://www.informit.com/articles/article.aspx?p=170967&seqNum=3 – sanket Dec 27 '13 at 13:17
  • Sanket both links are very useful TY :) – Fahadalkadhi95 Dec 27 '13 at 13:30

1 Answers1

0

You should not encrypt the password, you should hash it with the user name and a salt.

See Why should I hash passwords?

Community
  • 1
  • 1
Jonathan Rosenne
  • 2,159
  • 17
  • 27
  • True. But I think the user is just learning to use encryption and decryption is java – sanket Dec 27 '13 at 13:17
  • ok nice so I put them both in the same string and add salt to it ? could you please put some code to show me how it works I would really be thankful. – Fahadalkadhi95 Dec 27 '13 at 13:19
  • @sanket I am actually learning how to save users in a database safely so all suggestions are great. – Fahadalkadhi95 Dec 27 '13 at 13:20
  • your post's post was this site:https://crackstation.net/hashing-security.htm and though it is not for java it is still helpful I thank you this is just what i was looking for how ever is salted hash the best way? – Fahadalkadhi95 Dec 27 '13 at 13:31
  • Yes. The use of hash means that you do not store or even know the password, so if your database is ever hacked the hacker will not be able to extract the passwords. The salt should be unique, such as the name of your site, to prevent a dictionary attack, where the bad guys have a database of common passwords and their hash. – Jonathan Rosenne Dec 27 '13 at 15:48
  • @JonathanRosenne alright mate so now i am barely able to hash using SHA1 look at my code how can i hash with SHA256/SHA512 what should i change and the when i tried public {static final String algorithm = "PBKDF2WithHmacSHA512"} and it says that no such algorithm – Fahadalkadhi95 Dec 27 '13 at 17:34