12 Replies Latest reply on Oct 24, 2002 12:39 PM by richardberger

How to encrypt passwords using j_security_check?

richardberger Oct 9, 2002 8:06 PM

Building a system where users can self register. Thought it would be nice to encrypt their passwords. Can use Sun's JCE to handle the encryption. But how to make this work with j_security_check? Is this finally a reason to drop j_security_check and do everything in JAAS?

Has anyone tried to do this? Any feedback would be appreciated - it seems like a common task.

Thanks all!
RB

1. Re: How to encrypt passwords using j_security_check?

richardberger Oct 9, 2002 11:27 PM (in response to richardberger)

I haven't implemented it yet, but this actually appears straightforward.

1. On the form, change the name of the password field from "j_password" to "raw_password".
2. Create a hidden field named "j_password"
3. Prior to the form being submitted, calculate the MD5 digest for the password - since we are just verifying the password upon login, we can use a one-way encryption. MD5 javascript algorithms are available on the web.
4. When the user registers, use the same MD5 javascript to "encrypt" the password they entered.

(As I started writing this, I thought I needed to use MD5 that is part of JDK, but it is even easier).

Will repost once it all works.

RB
Actions
2. Re: How to encrypt passwords using j_security_check?

richardberger Oct 10, 2002 2:02 AM (in response to richardberger)

Turns out that this is indeed trivial and can all be done in JavaScript. Basically I just had a "j_password_raw" field where the user entered text and before calling j_security_check, I encrypted the password with a one-way has h and put the result in the "real" j_password field. No need for JCE or even anything on the server.

Of course, this isn't really secure since I am not using SSL, but it does solve the problem of having passwords in cleartext in the database.

Enjoy,
RB
Actions
3. Re: How to encrypt passwords using j_security_check?

kenryu Oct 10, 2002 4:34 AM (in response to richardberger)

hi;
Do you mind post the complete code on the forum? Thank's before I appreciate it.
Actions
4. Re: How to encrypt passwords using j_security_check?

noel.rocher Oct 10, 2002 4:43 AM (in response to richardberger)

Hi Richard,

Why doing that hashing in the navigator when you can do it with java on the server ?
You still need a ssl protection, so for simplicity, the only field you need in your form is the password.
I've done it and save the digest in a user table for further authentication (in a very simple application).
It works fine.

Noel
Actions
5. Re: How to encrypt passwords using j_security_check?

kenryu Oct 15, 2002 1:43 PM (in response to richardberger)

hi Noel;
can you send me the sample code please? Thank's before I appreciate it.

^_^
Actions
6. Re: How to encrypt passwords using j_security_check?

kenryu Oct 15, 2002 1:43 PM (in response to richardberger)

hi Noel;
can you send me the sample code please? Thank's before I appreciate it.

^_^
Actions
7. Re: How to encrypt passwords using j_security_check?

noel.rocher Oct 16, 2002 8:23 AM (in response to richardberger)

Hi kenryu,

Here is the code :
=========================================
MessageDigest encryptor = MessageDigest.getInstance(ENCRYPT_ALGORITHM);
encryptor.update(myPasswordString.getBytes());
myDBStorage.setPassword(java.net.URLEncoder.encode(new String( encryptor.digest()) ) );
=========================================

Note that I use URLEncoder class to obtain readable/db-storable string (without any strange char that can cause problems) and this class changes in the JDK1.4. Read the javadocs that will tell you all about this change.

ENCRYPT_ALGORITHM is a string constant that can take some values as "MD5" "SHA" ... (again more on the javadocs).

Pleased to help you.
Actions
8. Re: How to encrypt passwords using j_security_check?

richardberger Oct 21, 2002 1:18 AM (in response to richardberger)

Sorry - was on vacation - but it looks like your question has been solved. Apologies for any inconvenience - let me know if I can be of any future help.

RB
Actions
9. Re: How to encrypt passwords using j_security_check?

kenryu Oct 22, 2002 1:41 PM (in response to richardberger)

actually you can probably help me with sending me a sample code...:)

Thank's
Actions
10. Re: How to encrypt passwords using j_security_check?

ronaldtm Oct 24, 2002 9:45 AM (in response to richardberger)

Then there's no security at all! If someone listen to the connecion and get the parameters, he could use the already encrypted password to replay the login. The TCP connection itself isnt encrypted (as using SSL), and the password is still in plain text (although hashed by MD5).

There must be a way to make the connection though SSL...
Actions
11. Re: How to encrypt passwords using j_security_check?

ronaldtm Oct 24, 2002 9:50 AM (in response to richardberger)

The previous was about the MD5 at the client. About hashing the password in the server, it protects the password from the database administrator, because he wont see it in plain text, but wont prevent from anyone that captures the connection to read the password in plain text.

Again, we need SSL, although I dont know how exactly to do it... Maybe with the parameter CONFIDENTIAL at the descriptor?
Actions
12. Re: How to encrypt passwords using j_security_check?

richardberger Oct 24, 2002 12:39 PM (in response to richardberger)

Ronald: You are absolutely correct. This does nothing to prevent snoopers. It only provides security from someone browsing through the database - they won't be able to see the passwords there.

For over the wire security, SSL is needed and I think that CONFIDENTIAL is the way to go, but since I haven't configured SSL, I can't be absolutely sure.

My system is a "fun system" but I wanted to be able to tell users that I wouldn't be able to read the passwords that they entered - not that this was a secure system.

Enjoy,
RB
Actions

Go to original post