Home arrow static arrow Java Programming [Archive] - Best Way to encrypt passwords using JSP and MySQL?
Warning: Creating default object from empty value in /www/htdocs/w008deb8/wiki/components/com_staticxt/staticxt.php on line 51
Java Programming [Archive] - Best Way to encrypt passwords using JSP and MySQL?
This topic has 7 replies on 1 page.

Posts:13
Registered: 5/3/04
Best Way to encrypt passwords using JSP and MySQL?  
Aug 4, 2004 4:51 AM



 
What is the best way to encrypt passwords using JSP and MySQL?

I have a login page and need to enhance the security aspect by encrypting passwords.

I have been thinking of using MD5,but i dont' know how to interact this JAVA code with the JSP code as well as writing it to the database??

Is there also a way of appending a random number to the MD5 encryption on the server side and then appending that same random number to the MD5 encryption of the password, each time a user logs on.
 

Posts:2,909
Registered: 13.8.2003
Re: Best Way to encrypt passwords using JSP and MySQL?  
Aug 4, 2004 5:01 AM (reply 1 of 7)



 
I have been thinking of using MD5,but i dont' know how
to interact this JAVA code with the JSP code as well
as writing it to the database??

javax.security package for MD5, java.sql for Database.

Is there also a way of appending a random number to
the MD5 encryption on the server side and then
appending that same random number to the MD5
encryption of the password, each time a user logs on.

Not random, no.
 

Posts:13
Registered: 8/3/04
Re: Best Way to encrypt passwords using JSP and MySQL?  
Aug 4, 2004 5:03 AM (reply 2 of 7)



 
http://java.sun.com/j2se/1.4.2/docs/api/java/security/MessageDigest.html
 

Posts:3,055
Registered: 18/06/98
Re: Best Way to encrypt passwords using JSP and MySQL?  
Aug 4, 2004 5:35 AM (reply 3 of 7)



 
You can try the old mail.yahoo.com method. I don't know if they modified their method now.

Outline

Yahoo need to make a safe login, and does not want to use SSL because it was a CPU hog in the old days (now you can use SSL without bothering about CPU load because the CPUs are faster now), so "challenge-response" was chosen. Only MD5 hashes are transmitted via plain HTTP; the actual password is not transferred.

Solution

Yahoo asks for your password in "cleartext" using a SSL connection and stores it in the database.
When you need to log on Yahoo, Yahoo sends you a random number (or "nonce") in the logon page. A Javascript MD5 implementation combines that random number with your password, and when you click "Log in", the MD5 of ("nonce", "password") is transmitted back to Yahoo.
To check if the password is valid, Yahoo gets the cleartext password (that is in the database) and combines it to the nonce. If the MD5 match, then you probably has a valid password, and you can enter mail.yahoo.com (or other site that is protected by login.yahoo.com).

Variations

To avoid storing the password in the database, you can try storing the MD5 of the password (it's slightly safer and avoids some problems with passwords of varying lengths - MD5 has a fixed length of 128 bits or 128/4 = 32 hexadecimal digits). The Javascript must get the password, calculate the MD5, then combine it to the nonce, and calculate MD5 again.
 

Posts:13
Registered: 5/3/04
Re: Best Way to encrypt passwords using JSP and MySQL?  
Aug 4, 2004 8:12 AM (reply 4 of 7)



 
Let's assume that you are writing a web application to be run in a servlet container. Your registration servlet might have the following portion (for clarity, I ommitted input validation steps and assume that a password value was passed in within the password form input field):

[...]
public void doPost(HttpServletRequest request, HttpServletResponse response){  User user = new org.myorg.registration.User();  user.setPassword(org.myorg.services.PasswordService.getInstance().encrypt(request.getParameter("password"));

[...]

Here is the definition of my PasswordService class that does the job of generating a one-way hash value:

 package org.myorg.services;import java.io.UnsupportedEncodingException;import java.security.MessageDigest;import java.security.NoSuchAlgorithmException;import org.myorg.SystemUnavailableException;import sun.misc.BASE64Encoder;import sun.misc.CharacterEncoder;public final class PasswordService{  private static PasswordService instance;  private PasswordService()  {  }  public synchronized String encrypt(String plaintext) throws SystemUnavailableException  {    MessageDigest md = null;    try    {      md = MessageDigest.getInstance("MD5"); //step 2    }    catch(NoSuchAlgorithmException e)    {      throw new SystemUnavailableException(e.getMessage());    }    try    {      md.update(plaintext.getBytes("UTF-8")); //step 3    }    catch(UnsupportedEncodingException e)    {      throw new SystemUnavailableException(e.getMessage());    }    byte raw[] = md.digest(); //step 4    String hash = (new BASE64Encoder()).encode(raw); //step 5    return hash; //step 6  }  public static synchronized PasswordService getInstance() //step 1  {    if(instance == null)    {      return new PasswordService();    }     else        {      return instance;    }  }}


I have the following java code to obtain the message digest, i am just wondering how i can combine the above with JSP code, i.e. the password string from a HTML form?????

 

Posts:13,250
Registered: 24/10/97
Re: Best Way to encrypt passwords using JSP and MySQL?  
Aug 4, 2004 10:07 AM (reply 5 of 7)



 
I have been thinking of using MD5,but i dont' know how
to interact this JAVA code with the JSP code as well
as writing it to the database??
MD5 is a 'hash' and not an encryption. An MD5 value cannot be 'decrypted'.

This doesn't mean to say one can't use MD5 to obscure the password since one does not need to decrypt the value in the database. One can just compare MD5 hashes rather than compare passwords.
 

Posts:3,258
Registered: 00-08-28
Re: Best Way to encrypt passwords using JSP and MySQL?  
Aug 4, 2004 11:27 AM (reply 6 of 7)



 
I have been thinking of using MD5,but i dont' know
how
to interact this JAVA code with the JSP code as well
as writing it to the database??
MD5 is a 'hash' and not an encryption. An MD5 value
cannot be 'decrypted'.

This doesn't mean to say one can't use MD5 to obscure
the password since one does not need to decrypt the
value in the database. One can just compare MD5 hashes
rather than compare passwords.

with the added advantage that the passwords stored in database are also kind of encrypted. So anybody with the access to the database doesnot have access to passwords.
 

Posts:4,500
Registered: 17.04.98
Re: Best Way to encrypt passwords using JSP and MySQL?  
Aug 5, 2004 12:48 AM (reply 7 of 7)



 
To be sure the database doesn't mangle the hashed password, UUEncode it for good measure so it is sure to fit in plain ASCII.
That once solved a nasty problem I encountered where perfectly fine hashes would be returned mangled by the JDBC driver on reading them from the database (they were actually mangled during writing).
 
This topic has 7 replies on 1 page.