0

I'm writing a Client Server application. The communication between Client and Server uses Java RMI. I've set up RMI so that it uses SSLSockets, so the communication is secure. But now I want my Client to enter a password, the password needs to be send to the Server and stored there in a secure way.

  • Question 1: Do I need to encrypt this password when I send it, or is the use of SSLSockets enough?

  • Question 2: I was thinking about encrypting it using a hashfunction (like SHA1) on the Server and then comparing it with the stored value.

  • Question 3: How can I store these passwords in a secure way? I want to store them locally. Should I create a database and store the encrypted passwords? What are the common practices for this?

JNevens
  • 11,202
  • 9
  • 46
  • 72
  • 1
    Remark to Q2: The hash should not be calculated at the client as this would make the hash to the secret one has to know to successfully log in. Instead, the client sends the password, the server calculates the hash and compares it with a stored value. – Henry May 06 '14 at 18:48
  • Of course, yes! I understand why, I'm going to edit my question – JNevens May 06 '14 at 18:49
  • @Henry The other vitable option is one-time session keys, but probably that's overkill. – Alexey Malev May 06 '14 at 19:18

1 Answers1

1

Question 1:

It depends on security requirements. For most cases it's enough.

Question 2:

Here you can find a way to calculate SHA1 of string: Java String to SHA1

Question 3:

Storing passwords in some particular table in database is quite a common practice. I recommend to use hashed passwords together with so-called salt, so the protocol is:

  • User is registering or changing password and sending you his/her password.
  • We generate some looooooooong random string which we gonna use as salt.
  • Now, we need to calculate the value we're going in the database.

Assuming you have sha1() method that performs hash calculation:

String salt = generateLongRandomString();
String hashToStore = sha1(sha1(password) + salt);
  • Now, we need to store in database at least three fields for each user: username or something similar, maybe email; hashToStore; salt;

Ok, next step is authentication.

  • User wants to authenticate and send you his password.
  • You retrieve stored hash and salt for this user, searching by username or email;
  • You recalculate hash using the formula I wrote above and compare it with the stored value. If it matches, the user is authentic and you may inform his/her about it.
Community
  • 1
  • 1
Alexey Malev
  • 6,408
  • 4
  • 34
  • 52
  • I just want to store it locally, no special hardware solutions required here. Should I just store the encrypted data in a database? – JNevens May 06 '14 at 18:53
  • @JN11 I assume you're speaking about storing user passwords locally or in the database. If this is true, please update your question 3 and let me know, I'll update my answer to include best practices about that. – Alexey Malev May 06 '14 at 18:55
  • Yes, I'd like to know some more about how to use a database together with Java – JNevens May 06 '14 at 18:58