0

This project involves taking a user-supplied password and using it as input for a .sh script. This script uses the password (among other things) to create a file_name.properties file. Once this file has been created, it's stored on a server. Eventually, that file will be pulled by a java program using java's resourceBundle utility and used as a part of that program. The only problem is, the file_name.properties file that stores the password is available to pretty much anyone with server access to open, and then see the password. I've been instructed to obscure this password somehow, so that it can't be seen when people open the file on the server. But, the password still has to be usable by the java program. I'm not sure how to go about disguising this password in the shell script and then decoding it in the java program. I also can't use any external libraries. Note that this doesn't have to be an airtight solution - it doesn't matter if it's somewhat easy for humans that open the file to decode, we just don't want the password visible on first glance.

meowsephine
  • 372
  • 1
  • 3
  • 15
  • 2
    Doesn't have to be secure, just has to prevent accidental peeking? XOR each byte with 0x42 or so (assuming ASCII). – user253751 Feb 25 '15 at 19:39
  • 1
    To the last sentence: then why bother at all? – xehpuk Feb 25 '15 at 19:45
  • @xehpuk, very good question. This is what I've been told to do, though, and questioning dumb things like this usually gets me nowhere. – meowsephine Feb 25 '15 at 19:47
  • 2
    I would use something that is easy to do in shell and in Java, maybe base64 encoding? – Henry Feb 25 '15 at 19:56
  • 3
    Why not have an application user who owns the properties file (and runs the application) with permissions set to 600; that way there's no code changes needed and people can't peek at the password. – beresfordt Feb 25 '15 at 20:04
  • Base64 is week method, use this http://stackoverflow.com/questions/1205135/how-to-encrypt-string-in-java – Piotr Zych Feb 25 '15 at 20:52
  • In general 2 way encryption is always a bad idea. It is better to correctly protect the properties file so that no one can read it but the application. – M. Deinum Feb 25 '15 at 20:59

1 Answers1

0

I really agree with the comment from xehpuk - why bother at all?

With that being said, one quite simple approach is to use Base64 encoding. In Java 8 you can use the following:

import java.util.Base64;

...

String originalPasswordString = "johnnyPuma";
byte[] encodedBytes = Base64.getEncoder().encode(
        originalPasswordString.getBytes());

// Save the file
Files.write(Paths.get("file.properties"), encodedBytes);


// Read the contents of the file
byte[] decodedBytes = Base64.getDecoder().decode(
        Files.readAllBytes(Paths.get("file.properties")));

String decodedPasswordString = new String(decodedBytes);

System.out.println(decodedPasswordString);

The output is:

johnnyPuma

And, the file contents:

am9obm55UHVtYQ==

Luckily, if invoking the base64 command from a bash shell like this:

base64Password=$(echo "johnnyPuma" | base64)

The variable base64Password will contain the same encoded value i.e. am9obm55UHVtYQ==.

Note that as beresfordt pointed out in one of the comments. It is a very good idea to have an application user that owns the properties file. That user should also run the application. If done right, permissions can be set for that user that will prohibit "anyone" from reading the properties file.

Finally, the JavaDocs for Base64 can be found here.

Community
  • 1
  • 1
wassgren
  • 18,651
  • 6
  • 63
  • 77