Tag Archives: Technical

Password encryption

A site’s FTP password has been encrypted on the similar pattern as described in http://www.jasypt.org/howtoencryptuserpasswords.html with few exceptions as described below. JASYPT library (version 1.9.1) has been used to encrypt/decrypt the FTP passwords.

Encrypt passwords using two-way techniques

This is done in a 2 way pattern since the application needs to decrypt the password saved in the database to send it to the FTP server for authentication.

Hence a digest is NOT created rather a BASE64 encoded string is saved in the database. StandardPBEStringEncryptor has been used to encrypt the FTP password. This class avoids byte-conversion problems related to the fact of different platforms having different default charsets, and returns encryption results in the form of BASE64-encoded Strings. This class is thread-safe.

Encryptor

import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;//Create the encryptor StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();

Using a SALT

The salt is a sequence of bytes that is added to the FTP password before being encrypted to BASE64-encoded Strings. The salt consists of 2 parts:

  • Fixed Salt This sequence of characters is stored in the code base (e.g., compiled into the JAR file) and appended to every password before being encrypted/decrypted.

private final static String ENCRYPTION_PASSWORD_SALT = “dsfds#$%FD$#%#$%##$%#$%$%^DFHGSEDF”;

  • Random Salt is a random sequence of characters generated/computed for each password. This random set of characters is stored in the database. This allows to decouple the encryption logic for each password.

·        public static String nextSessionId() {·                   return new BigInteger(130, random).toString(32);  }

This random salt will be different for each FTP site. It is stored in the portal database (MS SQL Server) in a column in the table with columns containing the account name and encrypted password for each FTP site.

Encryption Algorithm

RandomSaltGenerator [org.jasypt.salt] has been used to determine the encryption algorithm. This by default uses the “SHA1PRNG” algorithm to encrypt the passwords.

Random SALT

EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig(); // create the configconfig.setSaltGenerator(new RandomSaltGenerator()); // pass the random salt generatorString fixedSalt = ENCRYPTION_PASSWORD_SALT;String randomSalt = nextSessionId();config.setPassword(fixedSalt + randomSalt);

Iterate the function

The iteration count refers to the number of times that the hash function with which we are encrypting is applied to its own results. Here, the algorithm is applied 4000 times

config.setKeyObtentionIterations(4000);

Finally Encrypt/Decrypt

Finally the BASE-64 ENCODED string is encrypted/decrypted using the StandardPBEStringEncryptor classes encrypt/decrypt method

twitterlinkedin