dcsimg
How to Encryp username/password
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Tony_Markham
Posted On:   Thursday, January 1, 2004 11:04 AM

I am writing an RMI application where the server will perform all MySQL database functions (Hidden from the client). Certain functions of the application are to be available only to approved users.

I want to have the RMI Client send encrypted username(s) and password(s) to the server. I would like to be able to decrypt them on the server once received.

Re: How to Encryp username/password

Posted By:   Nick_Maiorano  
Posted On:   Friday, January 2, 2004 08:59 AM

Tony,



Security is a big subject matter in it of itself and is not easily explained in a forum answer. Before you get into devising a solution, you should ask yourself what you are trying to protect, from whom, and what price (in terms of complexity and efficiency) are you willing to pay.



Encryption of passwords typically works this way. The server must first give the client a secret key (which is really a random number). The client then uses this key to encrypt the password and gives it to the server. Typical encryption algorithms include the likes of 3-DES, MD5 and SHA. The server, in turn, remembers what secret key it gave that client and decrypts the password with that key. This requires your client/server interactions to be stateful (i.e. to have sessions). You must never pass the key and the encrypted password together otherwise anybody can intercept the call and decrypt the password.



If you are deploying this app behind a firewall (i.e. in a corporate network), do you really need to have encrypted passwords? In other words, what are you trying to protect and from whom are you shielding passwords?

About | Sitemap | Contact