dcsimg
Password encryption.
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Dan_Kozin
Posted On:   Thursday, August 1, 2002 11:55 PM

Hello, I am pretty new to security issues, so I am looking for some advice about general strategy and various technologies I should use. I have been asked to redesign the way an older Java Application (applet to DB via JDBC) authenticates passwords. Currently the passwords are being stored openly in the database, which is the first thing I want to change. My manager doesnt want to spend any money on commercial products so I only have to work with Suns JCE library. My manager thinks that something like DES (or triple DES) is enough. Once I encrypt passwords what do I do with the key, do I need to hard code it into an applet code? I want to be able to use it when users log on. Can the JCA generate the same key again?    More>>

Hello, I am pretty new to security issues, so I am looking for some advice about general strategy and various technologies I should use.



I have been asked to redesign the way an older Java Application (applet to DB via JDBC) authenticates passwords. Currently the passwords are being stored openly in the database, which is the first thing I want to change.


My manager doesnt want to spend any money on commercial products so I only have to work with Suns JCE library. My manager thinks that something like DES (or triple DES) is enough. Once I encrypt passwords what do I do with the key, do I need to hard code it into an applet code? I want to be able to use it when users log on. Can the JCA generate the same key again?


how do other applications out there maintain encrypted passwords?


Thank you


Dan

   <<Less

Re: Password encryption.

Posted By:   Christopher_Koenigsberg  
Posted On:   Friday, August 2, 2002 07:45 AM

If you only store the encrypted version of the password on the server, and expect the client to just send the encrypted version over the wire, and just compare the two encrypted strings on the server (transmitted encrypted password, with stored encrypted password), then essentially, you are just using the encrypted password, as a new cleartext password itself. Someone listening on the net can grab the encrypted password, and just send that next time.



Otherwise you have to go to some kind of "challenge response" authentication scheme, but then the server needs the unencrypted plaintext password, to generate each challenge. The client uses the plaintext password to generate the response to the challenge, and sends that over the wire, and the server compares the response, to what should be generated by its algorithm, from the actual cleartext password.

About | Sitemap | Contact