4

Good day, I have used google/tink to encrypt a password for storing in a DB using these steps :

// 1. Generate the key material.
KeysetHandle keysetHandle = 
    KeysetHandle.generateNew(AeadKeyTemplates.AES128_GCM);

// 2. Get the primitive.
Aead aead = AeadFactory.getPrimitive(keysetHandle);

// 3. Use the primitive to encrypt a plaintext,
byte[] ciphertext = aead.encrypt(plaintext, aad);

It basically converts password into the bytes, but when i convert it into string to store into the DB, It stores the encrypted password in this format : -�@~�k�D߶{׼�.

But i want to store the password in the format like 11As7737Cs9ue9oo09 using tink encryption.

Is there any way to do it?

chuckx
  • 6,484
  • 1
  • 22
  • 23
Manish Mehta
  • 71
  • 3
  • 12
  • 1
    See the tag. There is no such thing as password encryption in a properly designed secure system. – user207421 May 08 '18 at 11:04
  • 3
    **Do not encrypt passwords**, when the attacker gets the DB he will also get the encryption key. Just using a hash function is not sufficient and just adding a salt does little to improve the security. Iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `Argon2`, `password_hash`, `Bcrypt` or similar functions. The point is to make the attacker spend substantial of time finding passwords by brute force. – zaph May 09 '18 at 06:05
  • @zaph Thanks for suggestion, will surely do that – Manish Mehta May 09 '18 at 12:18

2 Answers2

6

Manish, you might not want to encrypt the passwords. You want to hash them. Tink doesn't support password hashing yet, but we can add support if there's enough interest.

Could you please file for a feature request at https://github.com/google/tink/issues/new?

Thai Duong
  • 168
  • 3
3

I agree with everyone here that you SHOULD NOT store passwords in the clear.

However, to answer your question because I think it's a common problem when you get some cipher text and the string is unreadable. Say you wanted to store non password data encrypted, and readable. You would need to Base64 encode your cipher text.

When you retrieve your Base64 encoded data back from the database, you would then need to Base64 decode the String and then run it through your decryption process. Building on your example,

String readable = new String(java.util.Base64.getEncoder().encode(cipherText));

byte[] bytesToDecrypt = java.util.Base64.getDecoder().decode(readable.getBytes());
Nick H
  • 8,897
  • 9
  • 41
  • 64