0

It's possible to encrypt or at least obfuscate the ecryption password?

Im pretty curious about encryption in java

I'm following this tutorial and it's pretty interesting but my main problem is https://medium.com/@javatechie/spring-boot-password-encryption-using-jasypt-e92eed7343ab

when we reach this code:

@Configuration
public class JasyptEncryptorConfig {    @Bean(name = "jasyptStringEncryptor")
    public StringEncryptor getPasswordEncryptor() {
        PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
        SimpleStringPBEConfig config = new SimpleStringPBEConfig();
        config.setPassword("javatechie"); // encryptor's private key
        config.setAlgorithm("PBEWithMD5AndDES");
        config.setKeyObtentionIterations("1000");
        config.setPoolSize("1");
        config.setProviderName("SunJCE");
        config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
        config.setStringOutputType("base64");
        encryptor.setConfig(config);
        return encryptor;
    }
}

config.setPassword("javatechie"); // encryptor's private key in my opinion is a huge security break someone who reach and decompile the jar will get for sure the encryption password.

So my main question is it's possible to encrypt that password or obfuscate with something in order to make a huge challenge or at least make it impossible with a simple sight get the password?

I'm just curious i tried with some kind of bit shifting "<<" but it's so simple that at the end the string with the true password needs to be hardcoded somewhere.

Michael Evan
  • 1
  • 1
  • Irrespective of what you use to obfuscate your password. call it a password of password or anything. there will be one plaintext component that you need to pass to the program to work. now how do you pass that password whether on runtime via some config file or some KMS or anything. there is no straightforward answer to this. EOD we are adding a layer of protection. – Suchandra T Jun 03 '23 at 08:51
  • Get the user to provide their own password, either through a system property, an environment variable, or some other method which suits your application. – tgdavies Jun 03 '23 at 09:21
  • no, becuasse the encryption password is in the source code declared: private static final char[] PASSWORD = "Unauthorized_Personel_Is_Unauthorized".toCharArray(); – Michael Evan Jun 03 '23 at 18:22
  • Obfuscation would just require you to re-arrange the data in some non-standard way. If a program was trying to scan your code for the text _"password"_, you wouldn't want it to be able to decode the values around it. I believe obfuscation is meant as a deterrent, and not necessarily a solution. So, realistically, it could be a complete class with methods and fields. – Reilas Jun 03 '23 at 18:43
  • What are you trying to achieve? If you include the password in your executable code, it can be recovered by the user no matter how you obfuscate it, simply by using a debugger. – tgdavies Jun 04 '23 at 00:50
  • the question is not clearly enough? the encryption password at least in all documents i found it's allways on the source code or charger in a .properties file, obfuscate or encrypt it it will make it difficult, did you know how to accomplish that? – Michael Evan Jun 04 '23 at 01:52
  • It's trivial to find the `setPassword` call and put a breakpoint there, so obfuscation buys you nothing. You haven't explained what information you want to protect from which attackers. – tgdavies Jun 04 '23 at 03:15

0 Answers0