java encrypt decrypt password md5 using same key

Question

I used jersey web service in java language .

I have this code :

 @GET
     @Path("/getList/{login}/{password}/{email}")
     @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")

     public  String getList(@PathParam("login") String login,@PathParam("password") String password,@PathParam("email") String email){
         if(login!=null && !"".equals(login)&& password!=null && !"".equals(password))
         {
             if(login.equals("admin")&& password.equals("12345"))
             {
                 List list= findDataList(login,password,email);

                 if(list!=null && list.size()>0)
                 {
                      JSONArray arrayObj=JSONArray.fromObject(list);      

                    return arrayObj.toString();
                 }
                 else
                 {
                     return "No Data ";
                 }
             }
             else
             {
                 return "access denied ";
             }
         }
         else
         {
             return "access denied ";
         }



     }

and I used this url to test the web service :

 http://localhost:8080/projectTest/service/getList/admin/1235545/test@yahoo.com

I have a login and password that is fixed in the server side ("admin" ,"12345" ) and will be compared with the parameters which will be sent in the web service url

my goal is to know how to secure the sending of the password parameter .

I want that the password will be encrypt using md5 and then decrypt this password in getList method .

I think that the best way is to use the same key

to encrypt and decrypt the password in the client and server side.

md5 is is a hash function. it is **NOT** encryption, and you can **NOT** "decrypt" an md5 hash. it's a meat grinder: cow goes in, hamburger comes out. you cannot take that hamburger and reassemble the original cow. — Marc B, Jun 14 '16 at 20:24
login should be a POST request + you typically don't encrypt clientside/in transfer it because it is already encrypted because you use https only. — zapl, Jun 14 '16 at 20:29
@MarcB I'm eager to prove you wrong in five hundred years when we have the technology to reassemble a cow out of a hamburger. — Saturn, Jun 14 '16 at 21:39

score 3 · Answer 1 · edited May 23 '17 at 10:33

As stated on the comments, MD5 is a one-way hashing. This means that once hashed, you *cannot recover the original value.

This is good security, but maybe your approach can be improved.

Instead of "decrypting" the existing password, you can hash the password that has been entered, and compare this hash with the existing password hash. If they are the same, then the password is the same, and you can authorize the login attempt.

MD5 "can" be decrypted using MD5 hash dictionaries, but still it is hard for non-common password.

If still you need the decrypted password, you can take a look at this related question about encrypting and decrypting

java encrypt decrypt password md5 using same key

1 Answers1