3
I need to encrypt the data in a user authentication session, and I would like to know the best, most secure way to work with Java encryption. Is it using Salt, MD5, AES, SHA, or other? Which API’s recommended for this job? What are the advantages and disadvantages of each data encryption mode.
3
I don’t understand very well how you are doing your session, if it is by HEADER Basic to each request.
Ex: HTTP Authentication Basic MD5(username:password)
If so, I would advise using the flow password OAUTH2.
That is nothing more than persist the user session in a database and traffic an identifier instead of access data, of course with some endpoint name conventions and parameters.
Now as for the encryption methods I would surely indicate the bcrypt.
Because?
The MD5 always generates the same hash, ie if you cryptograph a value, the hash for that value will always be the same, this facilitates the attacker who with some effort can go making the hash until it reaches the value.
example:
Se eu fizer o hasg desse texto:
MD5("The quick brown fox jumps over the lazy dog") = 9e107d9d372bb6826bd81d3542a419d6
Se fizer denovo, da o mesmo valor:
MD5("The quick brown fox jumps over the lazy dog") = 9e107d9d372bb6826bd81d3542a419d6
O Bcrypt always generates a different hash, which when compared to another hash generated it returns whether it is valid or not.
example:
Se eu fizer o hash desse texto:
Bcrypt("The quick brown fox jumps over the lazy dog") = "$2a$10$o2o0OMLJh4M6EQuF9Tk/Ceidt/JSFOpPzNl6WSIQV9ip.VyrlW8py"
Se eu fizer denovo, o valor sai diferente:
Bcrypt("The quick brown fox jumps over the lazy dog") = "$83e912b45ea3cbd8f99163323dt/JSFOpPzNl6WSIQV9ip.1313aC"
Mas se você comprar os dois atraves de uma função do Bcrypt
Bcrypt.compare("$83e912b45ea3cbd8f99163323dt/JSFOpPzNl6WSIQV9ip.1313aC", "$2a$10$o2o0OMLJh4M6EQuF9Tk/Ceidt/JSFOpPzNl6WSIQV9ip.VyrlW8py") == true
Basic conclusion, comparing the hash through a slow (purposely) function, makes it very difficult and slow for the attacker to arrive at the correct value, so preferably bcrypt or some comparison algorithm for sensitive data.
Thanks for your reply @Rodrigo, in fact as I had not yet worked with cryptography in java, was in doubt in the best and most advisable way to do it. I liked your explanation regarding bcrypt, and your statement regarding Oauth2. vlw
There is something very strange in this example of Bcrypt: first, the outputs have different lengths (should always give the same); second, you are comparing two different hashes and it is giving true?! Where is this example from, do you happen to remember the source? Surely there’s something wrong there...
Hello, the example is my own, I didn’t take it from anywhere. You can execute the code, in the answer I explain what is happening by copying ("Bcrypt always generates a different hash, which when compared to another generated hash it returns whether it is validated or not." ). But just to add something new and not only copy, bcrypt is safe precisely because of this, whenever you generate a hash it generates with a different value, but the two compared to its function ( not with the same javascript ) return true (true).
3
From what I read in your comments, the encryption will serve a web system developed in Java. Have you heard of the framework Spring Security? It enables you to implement authentication rules and access controls in a relatively simple way. I myself have already developed a system in Java Web with login and access controls using as encryption the bcrypt, that is much better than the MD5 that is becoming (or has become) obsolete.
I’ve heard of Sprint Segurity yes @Electus, the problem is that they’re avoiding using frameworks, so I’m leaving it as a second option if I can’t find another way out. Thanks for the help.
@Ericosouza "Avoiding using frameworks" is the same as "we think we better reinvent a rough wheel". Of course you can directly use bcrypt and if you already use some other framework I know you can "weigh" add one more, but consider that Spring Security is one of the most mature and flexible tools available today. Just one more remark: all the projects I know where "security" was implemented manually ended up sooner or later with problems because of this, whether in the hands of a more "clever" user who learns to circumvent security or an expert.
@utluiz yeah, I agree with you, but my manager was clearly about frameworks, he wanted something "pure". I do not know if he had bad experiences, but I have the impression that he thinks that every framework only deals with problems. However, knowing the risks of developing something from scratch, mainly about cryptography, I developed a routine, but I stepped in, documented the risks, and indicated the use of Spring Security. These trustable frameworks are there to make our life easier.
Browser other questions tagged java security-guard cryptography md5
You are not signed in. Login or sign up in order to post.
What are you really trying to do? Cryptography is very delicate, it’s very easy to do something that seems safe but be careful. Golden rule in this area: use a library, never implement an algorithm yourself unless you know exactly what you’re doing.
– Guilherme Bernal
@Guilhermebernal I need to use in the user authentication area on a web system. Which library do you recommend me to use? In Asp.net I know well, but in Java I don’t know much about cryptography and libraries that do this work.
– Erico Souza
I don’t have specific knowledge of java, but I believe that
SSLSocketwhatever it is you’re looking for.– Guilherme Bernal
From what I understand you want to create an authentication using hash to store the password, and want to know which is the best way (safer and more efficient) and which libraries/frameworks can you use? Right? If that’s what I recommend taking a look at these two topics right here in SO-PT: Java algorithm (with PBKDF2) and the one that deals with "How to hash passwords securely?", I believe that will not answer your question, but will help you and understand the problem.
– Fernando Leal
Thanks for the help @Fernando I will look at these topics and see what I get with them. Thanks.
– Erico Souza
I still can’t understand exactly what data should be encrypted in a web system login by Java code. The first precaution is to use SSL/HTTPS. What Fernando said makes sense, but it has nothing to do with "authentication session" but how passwords are stored in the database. Is that right? If it is, it is good to understand that these algorithms do not depend on a platform. If you already use any in C#, the effect from a security point of view will be the same in Java or any language.
– utluiz