Menu
▾
▴
jasypt-users — Jasypt Users List
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
(19) |
May
(8) |
Jun
(10) |
Jul
(21) |
Aug
(20) |
Sep
(34) |
Oct
(6) |
Nov
(27) |
Dec
(32) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(17) |
Feb
(5) |
Mar
(11) |
Apr
(24) |
May
(29) |
Jun
(6) |
Jul
(20) |
Aug
(18) |
Sep
(8) |
Oct
(11) |
Nov
(17) |
Dec
(5) |
| 2009 |
Jan
(28) |
Feb
(22) |
Mar
(6) |
Apr
(5) |
May
(6) |
Jun
(10) |
Jul
(24) |
Aug
(5) |
Sep
(7) |
Oct
(11) |
Nov
(9) |
Dec
(8) |
| 2010 |
Jan
(11) |
Feb
(2) |
Mar
(6) |
Apr
(8) |
May
(1) |
Jun
(3) |
Jul
(15) |
Aug
(5) |
Sep
(15) |
Oct
(27) |
Nov
(10) |
Dec
(15) |
| 2011 |
Jan
(6) |
Feb
(5) |
Mar
(5) |
Apr
(5) |
May
(2) |
Jun
(8) |
Jul
(7) |
Aug
(5) |
Sep
(8) |
Oct
(1) |
Nov
|
Dec
|
|
From: Daniel F. <dfe...@us...> - 2011-10-01 17:13:10
|
Hello everyone, Jasypt has now a user forum at http://forum.jasypt.org, much easier to use than the old mailing lists and with a lot of interesting features. This mailing list is therefore being closed and no further posting will be allowed. The mailing list archives will be still accessible at: http://old.nabble.com/Jasypt---Users-f21330.html Regards, Daniel. |
|
From: bwfrieds <ben...@gm...> - 2011-09-08 18:30:18
|
SOLVED The problem was resolved after a reboot. bwfrieds wrote: > > Anyone have guesses on where I messed this up? I have a system > environment variable set, containing the passphrase to decrypt the > encrypted datasource password. I'm using Spring 3 on java 6. > > 2011-09-08 11:24:44,012 ERROR > [org.springframework.batch.core.launch.support.CommandLineJobRunner] - > <Job Terminated in error: null> > java.lang.NullPointerException > at > org.jasypt.encryption.pbe.config.SimplePBEConfig.getPasswordCharArray(SimplePBEConfig.java:434) > at > org.jasypt.encryption.pbe.StandardPBEByteEncryptor.resolveConfigurationPassword(StandardPBEByteEncryptor.java:740) > at > org.jasypt.encryption.pbe.StandardPBEByteEncryptor.initialize(StandardPBEByteEncryptor.java:590) > -- View this message in context: http://old.nabble.com/1.8-working-on-Windows-7---tp32426018p32426135.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
|
From: bwfrieds <ben...@gm...> - 2011-09-08 18:11:40
|
Anyone have guesses on where I messed this up? I have a system environment variable set, containing the passphrase to decrypt the encrypted datasource password. I'm using Spring 3 on java 6. 2011-09-08 11:24:44,012 ERROR [org.springframework.batch.core.launch.support.CommandLineJobRunner] - <Job Terminated in error: null> java.lang.NullPointerException at org.jasypt.encryption.pbe.config.SimplePBEConfig.getPasswordCharArray(SimplePBEConfig.java:434) at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.resolveConfigurationPassword(StandardPBEByteEncryptor.java:740) at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.initialize(StandardPBEByteEncryptor.java:590) -- View this message in context: http://old.nabble.com/1.8-working-on-Windows-7---tp32426018p32426018.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
|
From: Daryl S. <dar...@op...> - 2011-09-06 11:56:22
|
On Mon, Sep 5, 2011 at 11:31 AM, Eldon <el...@gm...> wrote:
I think the example given is misleading. I think it should work like this:
<code>
> StrongPasswordEncryptor passwordEncryptor = new StrongPasswordEncryptor();
>
> if (passwordEncryptor.checkPassword(plainPwd, pwdStored)) {
> "true";
> } else {
> "false";
> }
> </code>
--
Daryl Stultz
_____________________________________
6 Degrees Software and Consulting, Inc.
http://www.6degrees.com
http://www.opentempo.com
mailto:dar...@op...
|
|
From: Joe H. <jhi...@gm...> - 2011-09-06 11:45:11
|
The StrongPasswordEncryptor uses a random salt value to encrypt the
password. This will make the encrypted value different every time you
generate it which is why your comparison of the encrypted values is not
working.
To check that the password is the same, use the checkPassword() method:
<code>
final boolean passwordMatches = new
StrongPasswordEncryptor().checkPassword(plainPassword, encPassword);
</code>
Hope this helps,
Joe Hindsley
On 09/05/2011 11:31 AM, Eldon wrote:
> +------------------------+
> Jasypt Users List
> http://www.jasypt.org
> +------------------------+
>
> Dear Joe Hindsley,
>
> I do that you say, I am using checkPassword() for verify if the password did
> enter match with the password stored in may database. I did put a password
> in database using
> <code>
> StrongPasswordEncryptor passwordEncryptor = new StrongPasswordEncryptor();
> String encryptPwd = passwordEncryptor.encryptPassword(plainpwd);
> </code>
> and after user's login I try
> <code>
> StrongPasswordEncryptor passwordEncryptor = new StrongPasswordEncryptor();
> String encryptedPassword = passwordEncryptor.encryptPassword(pwdStored);
>
> if (passwordEncryptor.checkPassword(plainPwd, encryptedPassword)) {
> "true";
> } else {
> "false";
> }
> </code>
> The return was "false"
>
>
>
>
>
> Joe Hindsley wrote:
>>
>> +------------------------+
>> Jasypt Users List
>> http://www.jasypt.org
>> +------------------------+
>> Hi Carlo,
>>
>> The Encrypting Passwords page has code examples:
>>
>> http://www.jasypt.org/encrypting-passwords.html
>>
>> Each time you encrypt the password with the StrongPasswordEncryptor, you
>> will get a different digest value (this is because a random salt value
>> is used each time). So comparing two values encrypted with the
>> StrongPasswordEncryptor will not work. Instead, use the checkPassword()
>> method which takes the plain text password and the already digested
>> password as arguments. This method will use the salt of the already
>> digested password to digest the plain text password and compare the
>> results.
>>
>> Hope this helps,
>>
>> Joe Hindsley
>>
>>
>> Carlo Camerino wrote:
>>> +------------------------+
>>> Jasypt Users List
>>> http://www.jasypt.org
>>> +------------------------+
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> hi,
>>>
>>> how can i use strongpasswordencryptor to encrypt a password and then
>>> compare it with another password which i encrypted using a
>>> strongpasswordencryptor as well..
>>>
>>>
>>> from my experience,
>>>
>>> i try to use matches but it doesn't seem to work for this ....
>>>
>>> Can anyone explain the output of a strongpasswordencryptor?
>>>
>>> like where is the salt located etc....
>>>
>>> Thanks A Lot
>>> Carlo
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> ------------------------------------------------------------------------------
>>> Protect Your Site and Customers from Malware Attacks
>>> Learn about various malware tactics and how to avoid them. Understand
>>> malware threats, the impact they can have on your business, and how you
>>> can protect your company and customers by using code signing.
>>> http://p.sf.net/sfu/oracle-sfdevnl
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> jasypt-users mailing list
>>> jas...@li...
>>> https://lists.sourceforge.net/lists/listinfo/jasypt-users
>>
>> ------------------------------------------------------------------------------
>> Protect Your Site and Customers from Malware Attacks
>> Learn about various malware tactics and how to avoid them. Understand
>> malware threats, the impact they can have on your business, and how you
>> can protect your company and customers by using code signing.
>> http://p.sf.net/sfu/oracle-sfdevnl
>> _______________________________________________
>> jasypt-users mailing list
>> jas...@li...
>> https://lists.sourceforge.net/lists/listinfo/jasypt-users
>>
>>
>
|
|
From: Eldon <el...@gm...> - 2011-09-05 15:31:52
|
Dear Joe Hindsley,
I do that you say, I am using checkPassword() for verify if the password did
enter match with the password stored in may database. I did put a password
in database using
<code>
StrongPasswordEncryptor passwordEncryptor = new StrongPasswordEncryptor();
String encryptPwd = passwordEncryptor.encryptPassword(plainpwd);
</code>
and after user's login I try
<code>
StrongPasswordEncryptor passwordEncryptor = new StrongPasswordEncryptor();
String encryptedPassword = passwordEncryptor.encryptPassword(pwdStored);
if (passwordEncryptor.checkPassword(plainPwd, encryptedPassword)) {
"true";
} else {
"false";
}
</code>
The return was "false"
Joe Hindsley wrote:
>
> +------------------------+
> Jasypt Users List
> http://www.jasypt.org
> +------------------------+
> Hi Carlo,
>
> The Encrypting Passwords page has code examples:
>
> http://www.jasypt.org/encrypting-passwords.html
>
> Each time you encrypt the password with the StrongPasswordEncryptor, you
> will get a different digest value (this is because a random salt value
> is used each time). So comparing two values encrypted with the
> StrongPasswordEncryptor will not work. Instead, use the checkPassword()
> method which takes the plain text password and the already digested
> password as arguments. This method will use the salt of the already
> digested password to digest the plain text password and compare the
> results.
>
> Hope this helps,
>
> Joe Hindsley
>
>
> Carlo Camerino wrote:
>> +------------------------+
>> Jasypt Users List
>> http://www.jasypt.org
>> +------------------------+
>>
>>
>> ------------------------------------------------------------------------
>>
>> hi,
>>
>> how can i use strongpasswordencryptor to encrypt a password and then
>> compare it with another password which i encrypted using a
>> strongpasswordencryptor as well..
>>
>>
>> from my experience,
>>
>> i try to use matches but it doesn't seem to work for this ....
>>
>> Can anyone explain the output of a strongpasswordencryptor?
>>
>> like where is the salt located etc....
>>
>> Thanks A Lot
>> Carlo
>>
>>
>> ------------------------------------------------------------------------
>>
>> ------------------------------------------------------------------------------
>> Protect Your Site and Customers from Malware Attacks
>> Learn about various malware tactics and how to avoid them. Understand
>> malware threats, the impact they can have on your business, and how you
>> can protect your company and customers by using code signing.
>> http://p.sf.net/sfu/oracle-sfdevnl
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> jasypt-users mailing list
>> jas...@li...
>> https://lists.sourceforge.net/lists/listinfo/jasypt-users
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> jasypt-users mailing list
> jas...@li...
> https://lists.sourceforge.net/lists/listinfo/jasypt-users
>
>
--
View this message in context: http://old.nabble.com/Question-on-How-To-Use-StrongPasswordEncryptor-tp30719062p32401933.html
Sent from the Jasypt - Users mailing list archive at Nabble.com.
|
|
From: biranb <bs...@gm...> - 2011-09-05 08:48:24
|
Hello, Has anyone got this working on Android? thanks -- View this message in context: http://old.nabble.com/Android-tp32399484p32399484.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
|
From: Daryl S. <dar...@op...> - 2011-09-02 18:53:45
|
Hello, I just discovered Jasypt today. It seems clear that I will use it for password digesting. I also have a need to encrypt text in a database, PostgreSQL. I do not have the pgcrypto module available but expect to someday and would like to switch to that for handling D/E. I'd like to use the pgp_sym_encrypt/decrypt functions described here: http://www.postgresql.org/docs/8.3/static/pgcrypto.html I know that Bouncy Castle implements PGP but I can't seem to find anything on using a symmetrical key which I believe is the same thing as "PBE", yes? I'd like to know if Jasypt perhaps in conjunction with Bouncy Castle can encrypt/decrypt text in a way that PostgreSQL's pgp_sym_encrypt/decrypt functions are compatible with. Thanks. (message resent, first was before list membership confirmed) -- Daryl Stultz _____________________________________ 6 Degrees Software and Consulting, Inc. http://www.6degrees.com http://www.opentempo.com mailto:dar...@op... |
|
From: Daryl S. <dar...@op...> - 2011-09-02 18:32:43
|
Hello, When using BasicTextEncryptor textEncryptor = new BasicTextEncryptor(); textEncryptor.setPassword(myEncryptionPassword); or StrongTextEncryptor textEncryptor = new StrongTextEncryptor(); textEncryptor.setPassword(myEncryptionPassword); what is the best practice for creating myEncryptionPassword? Should I just use my mother's maiden name? A passphrase (Mary Had a Little Lamb)? Or should I use some utility to generate a random string of characters of a certain length? Also, what's the comparative computational cost between Basic and Strong? I suppose I could figure that out, but how about the comparative strength? When would it be prudent to use Strong over Basic? Thanks! -- Daryl Stultz _____________________________________ 6 Degrees Software and Consulting, Inc. http://www.6degrees.com http://www.opentempo.com mailto:dar...@op... |
|
From: zekas <bou...@ya...> - 2011-08-15 19:10:46
|
Hi, I'm using the EnvironmentStringPBEConfig with Spring and everything is working perfectly. I guess my only concern is that the password is there in open text as a JVM property. Sure it's somewhat hidden but doesn't it make sense to encrypt this password too? We have a framework now that does the same thing using base64. Any thoughts or ideas? it would be ideal to have my variable in the JVM to look like -DAPP_ENCRYPTION_PASSWORD=<encrypted_password> -- View this message in context: http://old.nabble.com/EnvironmentStringPBEConfig-passwordSysPropertyName-in-open-text--Encrypt-it--tp32266671p32266671.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
|
From: Shaun S. <sen...@gm...> - 2011-08-10 09:48:24
|
I dont know if anyone else will find this useful or not, but I have put
together an implementation of a cascading encryptor (so you can use multiple
ciphers). If the maintainers think this is something that could be useful,
hopefully they will include it in future versions. I have attached the
source file, and will include the bulk of its text here (in case attachments
dont go through the list).
The basic idea is that you call addLayer(...) once for each layer of
encryption you would like to add. This must be done before initialize() is
called. The specified password will be used to generate a key for each
layer of encryption (the same key isnt used for more than one layer)
according to PKCS5's PBKDF2.
If you see any bugs in the code, please let me know so I can make the
appropriate corrections! Thanks
/**
* copied from {@link org.jasypt.encryption.pbe.StandardPBEByteEncryptor}
and
* modified to fit the purpose
*
* @author senecaso
*/
public class CascadingPBEByteEncryptor implements PBEByteEncryptor {
private class Layer {
private final String algorithm;
private final int keySize;
private Cipher encryptCipher;
private Cipher decryptCipher;
public Layer(String algorithm, int keySize) {
this.algorithm = algorithm;
this.keySize = keySize;
}
public String getAlgorithm() {
return algorithm;
}
public int getKeySize() {
return keySize;
}
}
/**
* HMAC that will be used as the PRG for key data generation as per
PKCS#5
*/
private static final String PBKDF2_PRF = "HmacSHA256";
private static final String DEFAULT_SECURE_RANDOM_ALGORITHM =
"SHA1PRNG";
private static final String CIPHER_CONFIG = "/CBC/PKCS5Padding";
/**
* The default number of hashing iterations applied for obtaining the
* encryption key from the specified password, set to 100000.
*/
public static final int DEFAULT_KEY_OBTENTION_ITERATIONS = 100000;
/**
* The default salt size, only used if the chosen encryption algorithm
is
* not a block algorithm and thus block size cannot be used as salt
size.
*/
public static final int DEFAULT_SALT_SIZE_BYTES = 16;
// represents the layers of encryption used in the cascade
private final List<Layer> layers = new ArrayList<Layer>();
private String providerName = null;
private Provider provider = null;
// Password to be applied. This will NOT have a default value. If none
// is set during configuration, an exception will be thrown.
private String password = null;
// Number of hashing iterations to be applied for obtaining the
encryption
// key from the specified password.
private int keyObtentionIterations = DEFAULT_KEY_OBTENTION_ITERATIONS;
// SaltGenerator to be used. Initialization of a salt generator is
costly,
// and so default value will be applied only in initialize(), if it
finally
// becomes necessary.
private SaltGenerator saltGenerator = null;
private String pbkdf2PRG = PBKDF2_PRF;
private final SecureRandom rand;
/*
* Flag which indicates whether the encryptor has been initialized or
not.
*
* Once initialized, no further modifications to its configuration will
be
* allowed.
*/
private boolean initialized = false;
/**
* Creates a new instance of <tt>StandardPBEByteEncryptor</tt>.
*/
public CascadingPBEByteEncryptor() {
super();
try {
rand =
SecureRandom.getInstance(DEFAULT_SECURE_RANDOM_ALGORITHM);
} catch (NoSuchAlgorithmException e) {
throw new EncryptionInitializationException(e);
}
}
/**
* <p>
* add a new cipher layer to the cascade. All ciphers will be run using
CBC with PKCS5 padding.
* </p>
* <p>
* This algorithm has to be supported by your JCE provider (if you
specify
* one, or the default JVM provider if you don't)
* </p>
*
* @param algorithm the name of the cipher to be added (ie: AES,
TwoFish, Serpent)
* @param keySize length of the key (in bits) to be used for this cipher
*/
public synchronized void addLayer(String algorithm, int keySize) {
CommonUtils.validateNotEmpty(algorithm, "Algorithm cannot be set
empty");
if (keySize <= 0) {
throw new IllegalArgumentException("keySize must be a positive,
non-zero integer");
}
if (isInitialized()) {
throw new AlreadyInitializedException();
}
layers.add(new Layer(algorithm, keySize));
}
/**
* <p>
* Sets the password to be used.
* </p>
* <p>
* <b>There is no default value for password</b>, so not setting this
* parameter either from a
* {@link org.jasypt.encryption.pbe.config.PBEConfig} object or from a
call
* to <tt>setPassword</tt> will result in an
* EncryptionInitializationException being thrown during initialization.
* </p>
*
* @param password
* the password to be used.
*/
public synchronized void setPassword(String password) {
CommonUtils.validateNotEmpty(password, "Password cannot be set
empty");
if (isInitialized()) {
throw new AlreadyInitializedException();
}
this.password = password;
}
/**
* <p>
* Set the number of hashing iterations applied to obtain the encryption
* key.
* </p>
* <p>
* This mechanism is explained in <a
* href="http://www.rsasecurity.com/rsalabs/node.asp?id=2127"
* target="_blank">PKCS #5: Password-Based Cryptography
Standard</a>.
* </p>
*
* @param keyObtentionIterations
* the number of iterations
*/
public synchronized void setKeyObtentionIterations(int
keyObtentionIterations) {
CommonUtils.validateIsTrue(keyObtentionIterations > 0, "Number of
iterations for key obtention must be " + "greater than zero");
if (isInitialized()) {
throw new AlreadyInitializedException();
}
this.keyObtentionIterations = keyObtentionIterations;
}
/**
* <p>
* Sets the salt generator to be used. If no salt generator is
specified, an
* instance of {@link org.jasypt.salt.RandomSaltGenerator} will be used.
* </p>
*
* @param saltGenerator
* the salt generator to be used.
*/
public synchronized void setSaltGenerator(SaltGenerator saltGenerator) {
CommonUtils.validateNotNull(saltGenerator, "Salt generator cannot be
set null");
if (isInitialized()) {
throw new AlreadyInitializedException();
}
this.saltGenerator = saltGenerator;
}
/**
* <p>
* Sets the name of the security provider to be asked for the encryption
* algorithm. This security provider has to be registered beforehand at
the
* JVM security framework.
* </p>
* <p>
* The provider can also be set with the {@link #setProvider(Provider)}
* method, in which case it will not be necessary neither registering
the
* provider beforehand, nor calling this {@link
#setProviderName(String)}
* method to specify a provider name.
* </p>
* <p>
* Note that a call to {@link #setProvider(Provider)} overrides any
value
* set by this method.
* </p>
* <p>
* If no provider name / provider is explicitly set, the default JVM
* provider will be used.
* </p>
*
* @since 1.3
*
* @param providerName
* the name of the security provider to be asked for the
* encryption algorithm.
*/
public synchronized void setProviderName(String providerName) {
CommonUtils.validateNotNull(providerName, "Provider name cannot be
set null");
if (isInitialized()) {
throw new AlreadyInitializedException();
}
this.providerName = providerName;
}
/**
* <p>
* Sets the security provider to be asked for the encryption algorithm.
The
* provider does not have to be registered at the security
infrastructure
* beforehand, and its being used here will not result in its being
* registered.
* </p>
* <p>
* If this method is called, calling {@link #setProviderName(String)}
* becomes unnecessary.
* </p>
* <p>
* If no provider name / provider is explicitly set, the default JVM
* provider will be used.
* </p>
*
* @since 1.3
*
* @param provider
* the provider to be asked for the chosen algorithm
*/
public synchronized void setProvider(Provider provider) {
CommonUtils.validateNotNull(provider, "Provider cannot be set
null");
if (isInitialized()) {
throw new AlreadyInitializedException();
}
this.provider = provider;
}
/**
* set the name of the PRG to be used during key generation. This
should be a valid HMAC name, such as
* "HmacSHA256" or "HmacMD5". If not set, the default is HmacSHA256.
* @param hmacName
*/
public synchronized void setKeyGeneratorHMAC(String hmacName) {
CommonUtils.validateNotNull(hmacName, "Key Generator must be a valid
HMAC name");
if (isInitialized()) {
throw new AlreadyInitializedException();
}
pbkdf2PRG = hmacName;
}
/**
* <p>
* Returns true if the encryptor has already been initialized, false if
not.
* <br/>
* Initialization happens:
* </p>
* <ul>
* <li>When <tt>initialize</tt> is called.</li>
* <li>When <tt>encrypt</tt> or <tt>decrypt</tt> are called for the
first
* time, if <tt>initialize</tt> has not been called before.</li>
* </ul>
* <p>
* Once an encryptor has been initialized, trying to change its
* configuration will result in an <tt>AlreadyInitializedException</tt>
* being thrown.
* </p>
*
* @return true if the encryptor has already been initialized, false if
not.
*/
public boolean isInitialized() {
return this.initialized;
}
/**
* <p>
* Initialize the encryptor.
* </p>
* <p>
* This operation will consist in determining the actual configuration
* values to be used, and then initializing the encryptor with them.
<br/>
* These values are decided by applying the following priorities:
* </p>
* <ol>
* <li>First, the default values are considered (except for
password).</li>
* <li>Then, if a
* <tt>{@link org.jasypt.encryption.pbe.config.PBEConfig}</tt> object
has
* been set with <tt>setConfig</tt>, the non-null values returned by its
* <tt>getX</tt> methods override the default values.</li>
* <li>Finally, if the corresponding <tt>setX</tt> method has been
called on
* the encryptor itself for any of the configuration parameters, the
values
* set by these calls override all of the above.</li>
* </ol>
* <p>
* Once an encryptor has been initialized, trying to change its
* configuration will result in an <tt>AlreadyInitializedException</tt>
* being thrown.
* </p>
*
* @throws EncryptionInitializationException
* if initialization could not be correctly done (for
example,
* no password has been set).
*/
public synchronized void initialize() {
// Double-check to avoid synchronization issues
if (!initialized) {
/*
* If the encryptor has not set a salt generator in any way, it
is
* time to apply its default value.
*/
if (saltGenerator == null) {
saltGenerator = new RandomSaltGenerator();
}
try {
// Password cannot be null.
if (password == null) {
throw new EncryptionInitializationException("Password
not set for Password Based Encryptor");
}
// Normalize password to NFC form
password = Normalizer.normalizeToNfc(password);
if (provider != null) {
for (Layer ai : layers) {
ai.encryptCipher =
Cipher.getInstance(ai.getAlgorithm() + CIPHER_CONFIG, provider);
ai.decryptCipher =
Cipher.getInstance(ai.getAlgorithm() + CIPHER_CONFIG, provider);
}
} else if (providerName != null) {
for (Layer ai : layers) {
ai.encryptCipher =
Cipher.getInstance(ai.getAlgorithm() + CIPHER_CONFIG, providerName);
ai.decryptCipher =
Cipher.getInstance(ai.getAlgorithm() + CIPHER_CONFIG, providerName);
}
} else {
for (Layer ai : layers) {
ai.encryptCipher =
Cipher.getInstance(ai.getAlgorithm() + CIPHER_CONFIG);
ai.decryptCipher =
Cipher.getInstance(ai.getAlgorithm() + CIPHER_CONFIG);
}
}
} catch (EncryptionInitializationException e) {
throw e;
} catch (Throwable t) {
throw new EncryptionInitializationException(t);
}
this.initialized = true;
}
}
private byte[] generateIV(Cipher cipher) {
byte[] iv = new byte[cipher.getBlockSize()];
rand.nextBytes(iv);
return iv;
}
private SecretKey generateKey(String algorithm, int keySize, byte[]
salt) throws NoSuchAlgorithmException, InvalidKeyException,
ShortBufferException, IllegalStateException {
PKCS5S2KeyGenerator myGen = new PKCS5S2KeyGenerator(pbkdf2PRG);
return myGen.generateDerivedKey(algorithm, keySize,
password.toCharArray(), salt, keyObtentionIterations);
}
/**
* <p>
* Encrypts a message using the specified configuration.
* </p>
* <p>
* The mechanisms applied to perform the encryption operation are
described
* in <a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2127"
* target="_blank">PKCS #5: Password-Based Cryptography
Standard</a>.
* </p>
* <p>
* This encryptor uses a salt for each encryption operation. The size of
the
* salt depends on the algorithm being used. This salt is used for
creating
* the encryption key and, if generated by a random generator, it is
also
* appended unencrypted at the beginning of the results so that a
decryption
* operation can be performed.
* </p>
* <p>
* <b>If a random salt generator is used, two encryption results for the
* same message will always be different (except in the case of random
salt
* coincidence)</b>. This may enforce security by difficulting brute
force
* attacks on sets of data at a time and forcing attackers to perform a
* brute force attack on each separate piece of encrypted data.
* </p>
*
* @param message
* the byte array message to be encrypted
* @return the result of encryption
* @throws EncryptionOperationNotPossibleException
* if the encryption operation fails, ommitting any further
* information about the cause for security reasons.
* @throws EncryptionInitializationException
* if initialization could not be correctly done (for
example,
* no password has been set).
*/
public byte[] encrypt(final byte[] message) throws
EncryptionOperationNotPossibleException {
if (message == null) {
return null;
}
// Check initialization
if (!isInitialized()) {
initialize();
}
try {
byte[] encryptedMessage = new byte[message.length];
System.arraycopy(message, 0, encryptedMessage, 0,
message.length);
for (int i = 0; i < layers.size(); i++) {
Layer layer = layers.get(i);
// The salt size for the chosen algorithm is set to be
equal
// to the algorithm's block size (if it is a block
algorithm).
int saltSizeBytes = DEFAULT_SALT_SIZE_BYTES;
int algorithmBlockSize = layer.encryptCipher.getBlockSize();
if (algorithmBlockSize > 0) {
saltSizeBytes = algorithmBlockSize;
}
// Create salt
final byte[] salt =
saltGenerator.generateSalt(saltSizeBytes);
SecretKey key =
generateKey(layer.encryptCipher.getAlgorithm(), layer.getKeySize(), salt);
// create a new IV for each encryption
final IvParameterSpec ivParamSpec = new
IvParameterSpec(generateIV(layer.encryptCipher));
/*
* Perform encryption using the Cipher
*/
synchronized (layer.encryptCipher) {
layer.encryptCipher.init(Cipher.ENCRYPT_MODE, key,
ivParamSpec);
encryptedMessage =
layer.encryptCipher.doFinal(encryptedMessage);
}
// append the IV
encryptedMessage =
CommonUtils.appendArrays(ivParamSpec.getIV(), encryptedMessage);
// Finally we build an array containing both the unencrypted
salt
// and the result of the encryption. This is done only
// if the salt generator we are using specifies to do so.
if (saltGenerator.includePlainSaltInEncryptionResults()) {
// Insert unhashed salt before the encryption result
encryptedMessage = CommonUtils.appendArrays(salt,
encryptedMessage);
}
}
return encryptedMessage;
} catch (InvalidKeyException e) {
// The problem could be not having the unlimited strength
policies
// installed, so better give a usefull error message.
handleInvalidKeyException(e);
throw new EncryptionOperationNotPossibleException();
} catch (Exception e) {
// If encryption fails, it is more secure not to return any
// information about the cause in nested exceptions. Simply
fail.
throw new EncryptionOperationNotPossibleException();
}
}
/**
* <p>
* Decrypts a message using the specified configuration.
* </p>
* <p>
* The mechanisms applied to perform the decryption operation are
described
* in <a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2127"
* target="_blank">PKCS #5: Password-Based Cryptography
Standard</a>.
* </p>
* <p>
* If a random salt generator is used, this decryption operation will
expect
* to find an unencrypted salt at the beginning of the encrypted input,
so
* that the decryption operation can be correctly performed (there is no
* other way of knowing it).
* </p>
*
* @param encryptedMessage
* the byte array message to be decrypted
* @return the result of decryption
* @throws EncryptionOperationNotPossibleException
* if the decryption operation fails, ommitting any further
* information about the cause for security reasons.
* @throws EncryptionInitializationException
* if initialization could not be correctly done (for
example,
* no password has been set).
*/
public byte[] decrypt(final byte[] encryptedMessage) throws
EncryptionOperationNotPossibleException {
if (encryptedMessage == null) {
return null;
}
// Check initialization
if (!isInitialized()) {
initialize();
}
if (saltGenerator.includePlainSaltInEncryptionResults()) {
// determine the salt size for the first layer of encryption
int saltSizeBytes = DEFAULT_SALT_SIZE_BYTES;
int algorithmBlockSize =
layers.get(0).encryptCipher.getBlockSize();
if (algorithmBlockSize > 0) {
saltSizeBytes = algorithmBlockSize;
}
// Check that the received message is bigger than the salt
if (encryptedMessage.length <= saltSizeBytes) {
throw new EncryptionOperationNotPossibleException();
}
}
try {
byte[] decryptedMessage = new byte[encryptedMessage.length];
System.arraycopy(encryptedMessage, 0, decryptedMessage, 0,
encryptedMessage.length);
for (int i = layers.size() - 1; i >= 0; i--) {
Layer layer = layers.get(i);
int saltSizeBytes = DEFAULT_SALT_SIZE_BYTES;
int algorithmBlockSize = layer.encryptCipher.getBlockSize();
if (algorithmBlockSize > 0) {
saltSizeBytes = algorithmBlockSize;
}
// If we are using a salt generator which specifies the salt
// to be included into the encrypted message itself, get it
from
// there. If not, the salt is supposed to be fixed and thus
the
// salt generator can be safely asked for it again.
byte[] salt = null;
byte[] iv = null;
byte[] encryptedMessageKernel = null;
if (saltGenerator.includePlainSaltInEncryptionResults()) {
final int saltStart = 0;
final int saltSize = (saltSizeBytes <
decryptedMessage.length ? saltSizeBytes : decryptedMessage.length);
final int ivStart = (saltSizeBytes <
decryptedMessage.length ? saltSizeBytes : decryptedMessage.length);
final int ivSize = layer.decryptCipher.getBlockSize();
final int encMesKernelStart = (saltSizeBytes + ivSize <
decryptedMessage.length ? saltSizeBytes + ivSize : decryptedMessage.length);
final int encMesKernelSize = (saltSizeBytes + ivSize <
decryptedMessage.length ? (decryptedMessage.length - saltSizeBytes - ivSize)
: 0);
salt = new byte[saltSize];
iv = new byte[ivSize];
encryptedMessageKernel = new byte[encMesKernelSize];
System.arraycopy(decryptedMessage, saltStart, salt, 0,
saltSize);
System.arraycopy(decryptedMessage, ivStart, iv, 0,
ivSize);
System.arraycopy(decryptedMessage, encMesKernelStart,
encryptedMessageKernel, 0, encMesKernelSize);
} else {
final int ivStart = 0;
final int ivSize = layer.decryptCipher.getBlockSize();
final int encMesKernelStart = (ivSize <
decryptedMessage.length ? ivSize : decryptedMessage.length);
final int encMesKernelSize = (ivSize <
decryptedMessage.length ? (decryptedMessage.length - ivSize) : 0);
salt = saltGenerator.generateSalt(saltSizeBytes);
iv = new byte[ivSize];
encryptedMessageKernel = new byte[encMesKernelSize];
System.arraycopy(decryptedMessage, ivStart, iv, 0,
ivSize);
System.arraycopy(decryptedMessage, encMesKernelStart,
encryptedMessageKernel, 0, encMesKernelSize);
}
SecretKey key =
generateKey(layer.decryptCipher.getAlgorithm(), layer.getKeySize(), salt);
IvParameterSpec ivParamSpec = new IvParameterSpec(iv);
/*
* Perform decryption using the Cipher
*/
synchronized (layer.decryptCipher) {
layer.decryptCipher.init(Cipher.DECRYPT_MODE, key,
ivParamSpec);
decryptedMessage =
layer.decryptCipher.doFinal(encryptedMessageKernel);
}
}
// Return the results
return decryptedMessage;
} catch (InvalidKeyException e) {
// The problem could be not having the unlimited strength
policies
// installed, so better give a usefull error message.
handleInvalidKeyException(e);
throw new EncryptionOperationNotPossibleException();
} catch (Exception e) {
// If decryption fails, it is more secure not to return any
// information about the cause in nested exceptions. Simply
fail.
throw new EncryptionOperationNotPossibleException();
}
}
/*
* Method used to provide an useful error message in the case that the
user
* tried to use a strong PBE algorithm like TripleDES and he/she has not
* installed the Unlimited Strength Policy files (the default message
for
* this is simply "invalid key size", which does not provide enough
clues
* for the user to know what is really going on).
*/
private void handleInvalidKeyException(InvalidKeyException e) {
if ((e.getMessage() != null) &&
((e.getMessage().toUpperCase().indexOf("KEY SIZE") != -1))) {
throw new EncryptionOperationNotPossibleException("Encryption
raised an exception. A possible cause is "
+ "you are using
strong encryption algorithms and "
+ "you have not
installed the Java Cryptography "
+ "Extension
(JCE) Unlimited Strength Jurisdiction "
+ "Policy Files
in this Java Virtual Machine");
}
}
}
|
|
From: Jessie H. <jes...@gm...> - 2011-08-04 15:37:09
|
Hi,
I use hibernate annotation to get decrypted value but failed.
The encrypted value is generated by the following code in a separate program
and save in DB.
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setPassword("XXXX");
encryptor.setAlgorithm("PBEWithMD5AndDES");
String encryptedText =
encryptor.encrypt("StringNeedToBeEncryptedAndSaveToDBLater");
Then I use the following code try to get the decrypted value:
@TypeDef(name = "encryptedString", typeClass = EncryptedStringType.class,
parameters = {
@Parameter(name = "password", value = "XXXX"),
@Parameter(name = "algorithm", value = "PBEWithMD5AndDES"),
@Parameter(name = "keyObtentionIterations", value = "1000") })
@IdClass(SysParameterPK.class)
@Entity
@Table(name = "cws_parameter")
public class SysParameter extends BaseDB2Domain {
.....
....
...
// get the decrypted value of the table.encrypt_value
@Type(type = "encryptedString")
public String getEncryptValue() {
return encryptValue;
}
public void setEncryptValue(String encryptValue) {
this.encryptValue = encryptValue;
}
}
--
View this message in context: http://old.nabble.com/Decrypt-value-using-hibernate-annotation-tp32195559p32195559.html
Sent from the Jasypt - Users mailing list archive at Nabble.com.
|
|
From: Marius K. <am...@gm...> - 2011-08-02 22:08:07
|
2011/7/25 Daniel Fernández <dfe...@us...> > > Jasypt 1.8 has been just released [ http://www.jasypt.org ] > > Changes from 1.7.1: > > * Modified in-memory storage of PBE passwords to avoid having Strings in > memory that contain the password being used. Now PBE passwords are stored as > char[] objects that are zeroed as soon as they are used. New > "setPasswordCharArray(char[] password)" methods allow users to specify > passwords as char[] also, so that there is no need to create String > passwords. > [ see http://www.jasypt.org/faq.html#store-pbe-passwords-strings ] > > * Modified the order in which Normalizer implementations are used: now > icu4j is used if it is in the classpath (even if Java >= 6 is being used). > If icu4j is not present, java.text.Normalizer is used (if Java >= 6). > wow thanks, I didn't really expect that you will change this, especially since it sounds like it was quite a bit of work. -- <>< Marius ><> |
|
From: BSM <bea...@gm...> - 2011-08-01 21:46:20
|
Hello all, I'd like to know if Jasypt 1.8 implementation can encrypt passwords using any of these algorithms and key derivation fuctions: PBKDF1 with the following hash functions: • MD5 • SHA-1 PBKDF2 with the following hash functions: • SHA-1 • SHA-256 • SHA-384 • SHA-512 Thanks for your help -- View this message in context: http://old.nabble.com/Jasypt-1.8-Scope-tp32173410p32173410.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
|
From: Shaun S. <sen...@gm...> - 2011-07-27 08:04:55
|
I'm trying to use a StandardPBEByteEncryptor to implement PBE based on information contained in the PKCS#5 RFC. One thing I came across is that the StandardPBEByteEncryptor doesnt seem to use any salt when generating the key (PBEKeySpec in initialize()) as specified in http://tools.ietf.org/html/rfc2898#section-4.1. Am I misunderstanding something? I see that a salt is later applied during the encryption phase as part of the PBE params... is it simply applying a new salt to the key generated during initialize() each time encrypt() is called? One other question. It seems there is no way to specify the salt size. I am currently using AES256, but a 16byte (128bit) salt is only generated. I was hoping to use a 256bit salt to add a little more entropy, but perhaps that is irrelevant if the block size is smaller than the salt size? |
|
From: Daniel F. <dfe...@us...> - 2011-07-25 18:01:56
|
Jasypt 1.8 has been just released [ http://www.jasypt.org ] Changes from 1.7.1: * Modified in-memory storage of PBE passwords to avoid having Strings in memory that contain the password being used. Now PBE passwords are stored as char[] objects that are zeroed as soon as they are used. New "setPasswordCharArray(char[] password)" methods allow users to specify passwords as char[] also, so that there is no need to create String passwords. [ see http://www.jasypt.org/faq.html#store-pbe-passwords-strings ] * Modified the order in which Normalizer implementations are used: now icu4j is used if it is in the classpath (even if Java >= 6 is being used). If icu4j is not present, java.text.Normalizer is used (if Java >= 6). * Added to EncryptablePropertyPlaceholderConfigurer the ability to decrypt system properties. * Fixed CLI scripts: *.jar in "find" command was matching jar files in the current folder instead of those in the lib folder. Fixed by surrounding "*.jar" by simple inverted commas * Small bugfixing for large BigInteger number decryption. Central Maven repositories are being synced. Regards, Daniel. |
|
From: Daniel F. <dfe...@us...> - 2011-07-24 18:42:31
|
Thank you, This has been fixed in all CLI ".sh" scripts in jasypt's trunk, and will go into 1.8 version. Regards, Daniel. On 7 July 2011 21:30, John J. Franey <jjf...@gm...> wrote: > +------------------------+ > Jasypt Users List > http://www.jasypt.org > +------------------------+ > > line 15 of bin/encrypt.sh in 1.7.1 should read: > > for a in `find $LIB_DIR -name '*.jar'` > > Otherwise, the shell matches any files in current working directory that > end > in .jar. If changed to a directory with a.jar, b.jar files, and ran > encrypt.sh with like 'bash -x encyrpt.sh', I see this use of find command: > > ++ find ......bin/../lib -name a.jar b.jar > > > -- > View this message in context: > http://old.nabble.com/encrypt.sh-needs-quotes-around-in-find-command-tp32016152p32016152.html > Sent from the Jasypt - Users mailing list archive at Nabble.com. > > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > jasypt-users mailing list > jas...@li... > https://lists.sourceforge.net/lists/listinfo/jasypt-users > |
|
From: marioorozgon <mar...@gm...> - 2011-07-21 12:47:13
|
Hi!
I have a problem with my developt, because with the decrypt, translate de
Accents, to "&aeio" and a similar expresion:
Clob clobHallazgos = resultSet.getClob(9);
if (clobHallazgos != null){
Reader readerHallazgos = clobHallazgos.getCharacterStream();
CharArrayWriter writerHallazgos = new CharArrayWriter();
int iHallazgos=-1;
while ( (iHallazgos=readerHallazgos.read())!=-1){
writerHallazgos.write(iHallazgos);
}
String valor = new String(writerHallazgos.toCharArray());
String correcto = s.decrypt(valor);
voInformescuerpo.setHallazgos(correcto);
--
View this message in context: http://old.nabble.com/PROBLEM-JASYPT---DECRYTP-WITH-CLOB-tp32107141p32107141.html
Sent from the Jasypt - Users mailing list archive at Nabble.com.
|
|
From: John J. F. <jjf...@gm...> - 2011-07-07 19:30:23
|
line 15 of bin/encrypt.sh in 1.7.1 should read: for a in `find $LIB_DIR -name '*.jar'` Otherwise, the shell matches any files in current working directory that end in .jar. If changed to a directory with a.jar, b.jar files, and ran encrypt.sh with like 'bash -x encyrpt.sh', I see this use of find command: ++ find ......bin/../lib -name a.jar b.jar -- View this message in context: http://old.nabble.com/encrypt.sh-needs-quotes-around-in-find-command-tp32016152p32016152.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
|
From: Saibabu V. <sai...@gm...> - 2011-07-07 15:35:00
|
I am trying to Encrypt and Decrypt one of the MySQL database columns and this column gets updated by Apache OpenJPA software. Do you have an example of how to do using JPA? Thank you in advance. |
|
From: martinY <rue...@al...> - 2011-07-04 17:10:13
|
Hello, I am using BasicTextEcnryption instead of BasicPasswordEncryption, as my program needs to be able to decrypt the password again, as I am saving it encrypted, but sending it in clear text to a third party site (there's no other way). The software is available as a jar archive for the users. I use setPassword() for salting. Apparently, anyone having the jar archive could decompile it and use the salting string to easily decrypt the encrypted passwords. Is there any way to prevent this? Using random salting strings does not seem to be possible, because how would I decrypt them after the program has been restarted, and we now want to decrypt the random-encrypted string? Thanks in advance for your answers, Martin. -- View this message in context: http://old.nabble.com/BasicTextEncryption---is-there-any-salting-safety-when-decompiling--tp31991006p31991006.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
|
From: Lrkwz1 <luc...@gm...> - 2011-06-29 16:47:06
|
Hello I wish to encrypt with Javascript sjcl and decript with Jasypt; I couldn't find any simple way to do it can someone help? Thank you -- View this message in context: http://old.nabble.com/Encrypt-with-Javascript-sjcl-and-decript-with-Jasypt-tp31956425p31956425.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
|
From: reyam <os...@te...> - 2011-06-17 07:48:32
|
Hi, as Daniel said, and you just quoted above, partial search (i.e using the LIKE operator) is NOT supported over encrypted data. Cheers! -- View this message in context: http://old.nabble.com/Need-help-in-Jasypt-%28java-simplified-encryption%29-with-hibernate-3.0-tp31848725p31867009.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
|
From: AnandLoni <ana...@gm...> - 2011-06-17 07:30:48
|
Thanks Daniel for the inputs. I implemented search with your input i.e fixed salt. With this approach exact string search is working fine, but I am still having issues with partial search. Any idea ? Regards, Anand dfernandez wrote: > > +------------------------+ > Jasypt Users List > http://www.jasypt.org > +------------------------+ > > Hi, > > Search on encrypted values can only be done using the equality operator > (=) > --obviously things like '>', '<' or 'LIKE' would not work on encrypted > data. > > > And also, you would need to declare a FIXED or NO salt generator, so that > you ensure that every time you encrypt the same text you receive the same > encrypted result. Note nevertheless that this will reduce your security > and > make you vulnerable to some kinds of attacks (such as Birthday attacks). > > Regards, > Daniel. > > > > On 15 June 2011 07:36, AnandLoni <ana...@gm...> wrote: > >> +------------------------+ >> Jasypt Users List >> http://www.jasypt.org >> +------------------------+ >> >> Hi, >> >> I am using Jasypt to encrypt database column with hibenate. >> (http://www.jasypt.org/hibernate3.html). >> >> When I save object value is encrypted and when I load object value is >> decrypted, this is working fine. I have search functionality on the >> encrypted column, I am using hibernate criteria api for searching. Search >> on >> encrypted column is not working. >> >> Any idea on how to search over encrypted column value ? >> -- >> View this message in context: >> http://old.nabble.com/Need-help-in-Jasypt-%28java-simplified-encryption%29-with-hibernate-3.0-tp31848725p31848725.html >> Sent from the Jasypt - Users mailing list archive at Nabble.com. >> >> >> >> ------------------------------------------------------------------------------ >> EditLive Enterprise is the world's most technically advanced content >> authoring tool. Experience the power of Track Changes, Inline Image >> Editing and ensure content is compliant with Accessibility Checking. >> http://p.sf.net/sfu/ephox-dev2dev >> _______________________________________________ >> jasypt-users mailing list >> jas...@li... >> https://lists.sourceforge.net/lists/listinfo/jasypt-users >> > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > jasypt-users mailing list > jas...@li... > https://lists.sourceforge.net/lists/listinfo/jasypt-users > > -- View this message in context: http://old.nabble.com/Need-help-in-Jasypt-%28java-simplified-encryption%29-with-hibernate-3.0-tp31848725p31866929.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
|
From: Daniel F. <dfe...@us...> - 2011-06-16 23:29:21
|
Hi, Search on encrypted values can only be done using the equality operator (=) --obviously things like '>', '<' or 'LIKE' would not work on encrypted data. And also, you would need to declare a FIXED or NO salt generator, so that you ensure that every time you encrypt the same text you receive the same encrypted result. Note nevertheless that this will reduce your security and make you vulnerable to some kinds of attacks (such as Birthday attacks). Regards, Daniel. On 15 June 2011 07:36, AnandLoni <ana...@gm...> wrote: > +------------------------+ > Jasypt Users List > http://www.jasypt.org > +------------------------+ > > Hi, > > I am using Jasypt to encrypt database column with hibenate. > (http://www.jasypt.org/hibernate3.html). > > When I save object value is encrypted and when I load object value is > decrypted, this is working fine. I have search functionality on the > encrypted column, I am using hibernate criteria api for searching. Search > on > encrypted column is not working. > > Any idea on how to search over encrypted column value ? > -- > View this message in context: > http://old.nabble.com/Need-help-in-Jasypt-%28java-simplified-encryption%29-with-hibernate-3.0-tp31848725p31848725.html > Sent from the Jasypt - Users mailing list archive at Nabble.com. > > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > jasypt-users mailing list > jas...@li... > https://lists.sourceforge.net/lists/listinfo/jasypt-users > |
11 messages has been excluded from this view by a project administrator.
