I generate a key and use the doFinal() from the cipher class to encrypt the password/username, now, when the user wants to login he inputs UN and PW then I take them what is the process I need to do so I compare the input to the database I saved the encrypted data in?
Writing this question I feel stupid but the truth is I am really new to this and my information could be remote from right so please move on to explaining and pass the what are you talking about part.
now the code I used :
public class Safety {
public static Users encryptUser(Users user){
Users usera=user;
try {
KeyGenerator kg = KeyGenerator.getInstance("AES/CBC/PKCS5Padding");
Key key=kg.generateKey();
Cipher cipher=Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
String fNE=new String(cipher.doFinal(user.getFirstname().getBytes()),"UTF-8");
String lNE=new String(cipher.doFinal(user.getLastname().getBytes()) , "UTF-8");
String userNameE= new String(cipher.doFinal(user.getUsername().getBytes()),"UTF-8");
String passWordE= new String(cipher.doFinal(user.getPassword().getBytes()),"UTF-8");
String eME= new String(cipher.doFinal(user.getEmail().getBytes()),"UTF-8");
String sQE= new String(cipher.doFinal(user.getsQ().getBytes()),"UTF-8");
String sAE= new String(cipher.doFinal(user.getsA().getBytes()),"UTF-8");
Users usere=new Users(fNE, lNE, userNameE, passWordE, eME, sQE, sAE, user.getUserID());
return usere;
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
catch(Exception e){
e.printStackTrace();
}
return usera;
}
public static String decryptuser(Users user){
//what should I do here exactly?
}
}
after a little of research and work this is what i have come up with :
public class Safety {
public static final String algorithm = "PBKDF2WithHmacSHA1";
public static final int saltbytesize = 24;
public static final int hashbytesize = 24;
public static final int iterations = 1000;
public static final int iIndex = 0;
public static final int sIndex = 1;
public static final int pbkIndex = 2;
public static Users passwordHash(Users user) throws NoSuchAlgorithmException, InvalidKeySpecException{
SecureRandom sR=new SecureRandom();
byte[] pws=new byte[saltbytesize];
sR.nextBytes(pws);
byte[] pwh=pbkdf2(user.getPassword().toCharArray(),pws,iterations,hashbytesize);
user.setPassword(toHex(pwh));
byte[] sas=new byte[saltbytesize];
sR.nextBytes(sas);
byte[] sah=pbkdf2(user.getsA().toCharArray(),sas,iterations,hashbytesize);
user.setsA(toHex(sah));
user.setUserhash(pws);
user.setSahash(sas);
return user;
}
public static boolean hashpassword(String username,String password,Users user) throws NoSuchAlgorithmException, InvalidKeySpecException{
byte[] pws=user.getUserhash();
byte[] pwh=pbkdf2(password.toCharArray(),pws,iterations,hashbytesize);
String searcher=toHex(pwh)+username;
String searched=user.getPassword()+user.getUsername();
if(searcher.equals(searched)){
return true;
}
return false;
}
private static byte[] pbkdf2(char[] password, byte[] salt, int iterations, int bytes)
throws NoSuchAlgorithmException, InvalidKeySpecException
{
PBEKeySpec spec = new PBEKeySpec(password, salt, iterations, bytes * 8);
SecretKeyFactory skf = SecretKeyFactory.getInstance(algorithm);
return skf.generateSecret(spec).getEncoded();
}
private static String toHex(byte[] array)
{
BigInteger bi = new BigInteger(1, array);
String hex = bi.toString(16);
int paddingLength = (array.length * 2) - hex.length();
if(paddingLength > 0)
return String.format("%0" + paddingLength + "d", 0) + hex;
else
return hex;
}
}
and this is great for now how ever id like to make it work with SHA512 how can i do that?
You should not encrypt the password, you should hash it with the user name and a salt.
See Why should I hash passwords?