Java and Postgresql/ MYSQL encryption

Asked

Viewed 2,138 times

5

Hello I’m having a question in my college project, in scope it says like this: "Users and passwords can be stored in the database, using the database’s own encryption."

Is the crypt in both by default MD5? In this case I need to use MD5 crypto both in my java application and in the database or is only in the database possible? Grateful!

  • The type of encryption that protects passwords is called hash. The idea is not to save the password itself in the database, but the result of applying a "one-way" function to the password (i.e. easy to do, hard to undo). To check later if the password is correct, the hash and compare the results. In practice, you will want to use hashes ""strong, like PBKDF2, Bcrypt or scrypt, but for the purpose of this exercise you can use what the bank even offers you, I don’t see the need to go much further. But if you can try using one salt, this will be important after "in the real world".

2 answers

2


In Postgre you can encrypt a string manually with bank functions.

For example, the MD5 function (varchar):

INSERT INTO usuario (id, nome, senha) VALUES (1, 'Joao',md5('123'));

By doing a SELECT we can get:

1   "Joao"   "202cb962ac59075b964b07152d234b70"
  • it is good to remember that md5 is an extremely weak and breakable algorithm in a matter of seconds

  • No doubt about it! There are several websites across the network with MD5 decryptors. It is interesting to have a look at this link: http://www.postgresql.org/docs/8.1/static/encryption-options.html

  • It also has pgcrypto, which is a plugin for the database. http://www.postgresql.org/docs/current/static/pgcrypto.html

  • @Joãofelipegonçalves It is good to differentiate between user passwords of the database of user passwords of the application/website. the 1st link refers to the encryption options pro first case - which is reasonable, because it is impracticable to give comprehensive protection to BD users, so MD5 by default is just to give a "overshadowed", and nothing else. To really protect yourself against attacks offline, it is necessary a more robust solution. For learning purposes, however, it doesn’t matter, an MD5 (preferably with salt) is good enough.

2

To encrypt a password or any other string you do it in the application or in the bank. Here I will deal with SHA1 and MD5, but the latter is no longer recommended, see How to hash passwords securely?.

Postgressql

MD5

SELECT md5(senha);

SHA1

The MD5 algorithm is ready to be used in your bank, but the SHA1 is not. To be used the extension must be created pg_crypto with his schema selected and then can be used the function digest which also has algorithms other than SHA1.

CREATE EXTENSION pgcrypto;
SELECT encode(digest('senha', 'sha1'), 'hex');

Mysql

MD5

SELECT md5('senha');

SHA1

SELECT sha1('senha');

Java

// MD5
String criptografadaMd5 = criptografar("123456", "MD5");
// SHA1
String criptografadaSha1 = criptografar("123456", "SHA1");

public static String cripografar(String input, String tipoAlgoritmo) throws NoSuchAlgorithmException {
    MessageDigest mDigest = MessageDigest.getInstance(tipoAlgoritmo);
    byte[] result = mDigest.digest(input.getBytes());
    StringBuffer sb = new StringBuffer();
    for (int i = 0; i < result.length; i++) {
        sb.append(Integer.toString((result[i] & 0xff) + 0x100, 16).substring(1));
    }

    return sb.toString();
}

Browser other questions tagged

You are not signed in. Login or sign up in order to post.