0

I have a Java based web application where encryption is required for most of the fields in MySQL database. I went all over the web, stackoverflow and videos and found the below.

  1. In most posts I went through, the encryption returned binary data
  2. To support the binary data returned by the encryption, the database fields has to be changed, for an example changing varchar into varbinary

I really have no much knowledge on cryptography (I just started learning) and this lead me to believe encryption always need to be done in binary. Then I was looking for an easy to use library, and came across Jasypt. Interestingly, I noticed in Jasypt the String will be encrypted as a String and so on where I do not have to go and change the database heavily.

Now I have few questions to ask.

1. How Jasypt is encrypting String as String while other methods I have seen returning binary? Same goes to numbers (it encrypt BigInteger and BigDecimal but no conversion to binary)

  1. Does Jasypt is using standard encryption methods?

  2. What is the best encryption algorithm we can use with Jasypt for text and then numbers?

  3. I know Jasypt is having a password encryption but passwords should be hash+salt. By encryption did they mean this for passwords?

  4. Jasypt last publish date is 25 Feb 2014. I hope this is not old, because these encryption methods etc are mathematics algorithms which do not change much?

PeakGen
  • 21,894
  • 86
  • 261
  • 463
  • You've got quite a lot of different questions there. Please reduce this to only one or two questions that are similar and ask the others separately. – Artjom B. Sep 11 '16 at 18:26
  • @ArtjomB.: Thanks, done – PeakGen Sep 11 '16 at 18:28
  • 1
    Some answers (pre-edit): 2. Yes. 3. "Best" for what? 4. Yes, they used the same wrong wording to accommodate all the ignorant "encryption learners". – Artjom B. Sep 11 '16 at 18:28
  • @ArtjomB. number 1 please? 3. I mean i tested it and it seems we can pass the encryption method we need as a String argument to `Jasypt`. I am looking for the stringest encryption, possibly suitable to safe guard sensitive info like medical records. – PeakGen Sep 11 '16 at 18:31
  • @PeakGen You should perhaps study encryption "a bit" before you start talking about "suitable to safe guard sensitive info like medical records.". Besides you have the documentation and sources, so you can check how it encrypts Strings (you're right about encryption happening in binary). – Kayaman Sep 11 '16 at 19:14
  • @Kayaman: Yes I'm studying now but at the moment looking for immediate answer to apply to the business solution as it cannot wait. in somewhere I read Jasypt says it is using Binary mechanism, but mechanism and output and different so I was confused. Basically, I guess I have nothing to worry because this binary mechanism is generating these `Strings` etc so it is by default encrypted as it should (I was totally confused with other ways which generates binaries, so I was looking for a solution like this anyway)? – PeakGen Sep 12 '16 at 03:52
  • @Kayaman: Can you please help me with point 1,3 and 5? – PeakGen Sep 12 '16 at 10:29
  • @PeakGen I don't really *want* to help you. If you don't understand what you're doing, you shouldn't be working with encryption. My policy is not to help people potentially "fake" their way and create security problems. If you explain your whole situation I may offer you some help. If you have a "secret" project and you can't tell anything, then you're out of luck (and probably in the wrong job). – Kayaman Sep 12 '16 at 10:53
  • @Kayaman: Thanks, please keep your help with you. – PeakGen Sep 12 '16 at 10:56
  • @PeakGen No problem. Try not to create any huge security flaws. – Kayaman Sep 12 '16 at 10:57
  • @Kayaman: Thanks, appreciate it. – PeakGen Sep 12 '16 at 10:57
  • @PeakGen If you need the "strongest security" then you should get someone who knows what they are talking about. You'll end up getting sued by your client when their system gets attacked through a gaping hole you designed. Not trying to be rude, but it happens to developers all the time. Hire someone. – Luke Joshua Park Sep 12 '16 at 11:39
  • @LukePark: But the above lib is doing the encryption, so I guess using that is the solution? I was only wondering why it preferred returning `String` instead of binary (I was looking for a lib which return `String` anyway). I can see it is having number of standrad encryption algos. – PeakGen Sep 12 '16 at 11:41
  • @PeakGen The encryption isnt the hard part, the implementation is. Pretty sure Jasypt doesnt authenticate the ciphertext either. You will end up with a padding oracle or be open to modification in transit. – Luke Joshua Park Sep 12 '16 at 11:43
  • @LukePark: OK, any suggestions for better encryption library? The database we have is already deplyed and used so can't change fields massively. So libs which encrypt and output `String` as a `String` and so on will help a lot. – PeakGen Sep 12 '16 at 11:55
  • RNCryptor is pretty good from what I have seen. Your worry of `string` to `binary` is strange. Just store base64 strings? – Luke Joshua Park Sep 12 '16 at 11:58
  • @LukePark: Good point bro, `Jasypt` also do the same, encoding `Base64`. Regarding your raised issue of authentication, how about each users' data encrypted using a key unique to that user? That means 500 user = 500 unique keys. – PeakGen Sep 12 '16 at 12:02
  • Thats not what authentication means in this context. Read about HMACs. If you are serious about implementing it yourself then you should spend at least a few weeks learning about symmetric encryption, block modes etc. – Luke Joshua Park Sep 12 '16 at 12:06
  • @LukePark: Right, Thanks Luke. Seems the link in the accepted answer of here tells us something - http://stackoverflow.com/questions/9570816/what-is-the-proper-way-to-perform-authenticated-encryption-in-java – PeakGen Sep 12 '16 at 12:50

0 Answers0