I need to do data encryption in a user authentication session, and I would like to know the best, and safest way to work with Java encryption. If it's using Salt, MD5, AES, SHA, or other? What API's recommended for this job? What are the advantages and disadvantages of each mode of encrypting the data.
Encryption with Java
3
asked by anonymous 17.07.2014 / 15:23
2 answers
3
From what I read in your comments, the encryption will serve a Web system developed in Java. Ever heard of the framework Spring Security ? It enables you to implement authentication rules and access controls in a relatively simple way. I myself have already developed a Java Web system with login and access controls using as encryption the bCrypt , which is much better than the MD5 that is getting (or already is) obsolete.
17.07.2014 / 16:15
3
I do not quite understand how you are doing your session, if it is by HEADER Basic at every request.
Ex: HTTP Authentication Basic MD5 (username: password)
If it is, I would advise using the flow password of the OAUTH2 .
That nothing is more than persisting the user session in a database and traffic an identifier instead of access data, of course with some endpoint name conventions and parameters.
Now regarding the encryption methods I would definitely indicate bcrypt.
Why?
MD5 always generates the same hash, ie if you cryptograph a value, the hash for this value will always be the same, this facilitates the attacker who with some effort can go hashing until it reaches its value.
example:
Se eu fizer o hasg desse texto:
MD5("The quick brown fox jumps over the lazy dog") = 9e107d9d372bb6826bd81d3542a419d6
Se fizer denovo, da o mesmo valor:
MD5("The quick brown fox jumps over the lazy dog") = 9e107d9d372bb6826bd81d3542a419d6
Bcrypt always generates a different hash, which when compared to another generated hash it returns whether it is valid or not.
example:
Se eu fizer o hash desse texto:
Bcrypt("The quick brown fox jumps over the lazy dog") = "$2a$10$o2o0OMLJh4M6EQuF9Tk/Ceidt/JSFOpPzNl6WSIQV9ip.VyrlW8py"
Se eu fizer denovo, o valor sai diferente:
Bcrypt("The quick brown fox jumps over the lazy dog") = "$83e912b45ea3cbd8f99163323dt/JSFOpPzNl6WSIQV9ip.1313aC"
Mas se você comprar os dois atraves de uma função do Bcrypt
Bcrypt.compare("$83e912b45ea3cbd8f99163323dt/JSFOpPzNl6WSIQV9ip.1313aC", "$2a$10$o2o0OMLJh4M6EQuF9Tk/Ceidt/JSFOpPzNl6WSIQV9ip.VyrlW8py") == true
Basic conclusion, comparing the hash through a (purposely) slow function, makes it very difficult and slow for the attacker to arrive at the correct value, then preferably to bcrypt or some comparison algorithm for stealth data.
20.08.2014 / 23:50