Hi everybody!
For a current project, I have a Servlet and a Client and they communicate via HTTP. Now the Client has to login and therefore must send a username and a password.
I have 3 questions: - How much (if at all) does HTTPS encrypt data, which is sent to and from it?
- Can HTTPS be accessed in the same way as HTTP? (With a java.net.URLConnection)
- Which java-classes can be used to manually encrypt and decrypt the password and how are they used? (Small examples would be great!)
11 1802
A partial answer would be fine too! ^^
Hm, as nobody seems to be answering, I'll just change the question (although feel free to answer the original questions ^^):
Does anyone have any experience using the javax.security package? Is that package a good idea or are there better solutions, when all I want to do is encrypt a password within the client and decrypt it in the server?
Why don't you use a one-way encryption? Let E(x) == y be a one-way encryption
function, i.e. given the key x it is quite easy to produce an encrypted version y,
but given y it is (almost) impossible to find x again.
Your database/server stores the y values, while the client produces a value y
given a value x and sends y over the wire to the server.
The MessageDigest class can be of help here for the encryption purposes.
kind regards,
Jos
Why don't you use a one-way encryption?
The username and password should be checked by an external application and there will be loads of users. As I have no influence on the external application, I have to decrypt the password within the Server. Or did I misunderstand your suggestion?
The username and password should be checked by an external application and there will be loads of users. As I have no influence on the external application, I have to decrypt the password within the Server. Or did I misunderstand your suggestion?
Is that external application capable of adding new users? If so, you feed it with
the values E(user), E(password) and simply do the one-way encryption on the
clients. The external application couldn't care less what exactly it compares
and the user,password pairs are send encrypted over the wire. There's no
need for decryption.
kind regards,
Jos
Is that external application capable of adding new users? If so, you feed it with the values E(user), E(password) and simply do the one-way encryption on the clients. The external application couldn't care less what exactly it compares and the user,password pairs are send encrypted over the wire. There's no need for decryption.
Hm, it's a thought, but I don't know, if it's possible. The external application already has a database and having every user twice (as it is used by several other applications) wouldn't be optimal. Also, adding every existing user with encrypted data would probably be a time consuming task, as it is a format specially designed for this particular database (as far as I know) and probably the application doesn't implement adding a series of users. I'll just have to find out about all of this.
Anyway, further suggestions are welcome! ^^
Hm, it's a thought, but I don't know, if it's possible. The external application already has a database and having every user twice (as it is used by several other applications) wouldn't be optimal. Also, adding every existing user with encrypted data would probably be a time consuming task, as it is a format specially designed for this particular database (as far as I know) and probably the application doesn't implement adding a series of users. I'll just have to find out about all of this.
Anyway, further suggestions are welcome! ^^
Well, you could try to use a secure socket layer or the https protocol ...
kind regards,
Jos
Well, you could try to use a secure socket layer or the https protocol ...
...which brings me back to the questions: - How much (if at all) does HTTPS encrypt data, which is sent to and from it?
- Can HTTPS be accessed in the same way as HTTP? (With a java.net.URLConnection)
And no, I don't think, that I could use SSL, as the server runs as a servlet on tomcat and I'm not surposed to use any other Ports than the http standard 80 and possibly the tomcat standard 8080, as others are often blocked. (And, although I guess, people could change those settings, those people often don't.)
...which brings me back to the questions:- How much (if at all) does HTTPS encrypt data, which is sent to and from it?
- Can HTTPS be accessed in the same way as HTTP? (With a java.net.URLConnection)
And no, I don't think, that I could use SSL, as the server runs as a servlet on tomcat and I'm not surposed to use any other Ports than the http standard 80 and possibly the tomcat standard 8080, as others are often blocked. (And, although I guess, people could change those settings, those people often don't.)
Well, then you're stuck with doing the encryption yourself then. Tomcat can do
a bit of encryption for usernames and passwords (base64) but the encryption
is almost decyphered when you even look at it for a bit.
If the Servlet is yours keep track of an ever changing magic number and send it
to the client when it hits the login page (hide it in a hidden field). The server keeps
that number in its session object. The client uses that number to encrypt the
data and send it to the server; the server also knows that number (its in the
session object) and decrypts the data again.
That magic number could be any random number supplied by, say, the Random
class. If the data happens to be incorrect, the server destroys the session object.
kind regards,
Jos
Hm, I guess so. Is org.apache.commons.codec.binary.Base64 a good choice? I will however encrypt it further, and as nobody knows, what algorithm I'm using (while anyone can use the Base64 codec), that should enhance safety quite a lot, shouldn't it?
Hm, I guess so. Is org.apache.commons.codec.binary.Base64 a good choice? I will however encrypt it further, and as nobody knows, what algorithm I'm using (while anyone can use the Base64 codec), that should enhance safety quite a lot, shouldn't it?
You'd better. Base64 encrypting isn't really encrypting; it's merely encoding the
data into readable (ASCII) characters. See my previous reply for a nice encrypting
trick (if applicable to your situation).
About that Base63 stuff: there are lots of en/decoders available; everybody seems
to find it interesting to build that functionality.
kind regards,
Jos
Sign in to post your reply or Sign up for a free account.
Similar topics
by: danubian |
last post by:
Hi,
I'm a newbie in php/mysql programming,really am.
I'm working on a web-site that allows registration and posterior
logging in. Already registered user logs in with valid username and...
|
by: Pete..... |
last post by:
Hi all.
I have made a webpage where there is a webform where people can fill in
their personel information:
The code is below:
I want to transfer the data to a postgreSQL database ( I have...
|
by: danubian |
last post by:
Hi,
I'm a newbie in php/mysql programming,really am.
I'm working on a web-site that allows registration and posterior
logging in. Already registered user logs in with valid username and...
|
by: topher23 |
last post by:
I've seen a lot of questions about how to make secure database passwords. I'm going to go over a method of encrypting a password using the MD5 encryption algorithm for maximum security.
First,...
|
by: hk777 |
last post by:
Hi
I have Access 2007 installed at work, and last week it suddenly started asking me for a username and password whenever I try to open anything, even a new database. If I log in to my computer...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |