Storing Encrypted passwords in SQL database
Hey folks!
I'm trying to encrypt a password to be put into a SQL database and then be decrypted when I pull it out to log a user in. Currently I can encrypt and store the password fine, but it's the grabbing and decrypting that is giving me troubles.
Sometimes I do get the correct string back from the decrypted database string, but not very often. The main error I get is BadPaddingException, which I've read in the forum is something to do with key/string descrepancies. I sometimes get a IllegalBlockSizeException as well.
When I look at the ASCII bytes stored in the database they are different from what is shown when I print them out on the screen using IE5.5.
I'm wondering if anyone out there has run into similar problems and overcame, or could help me along in the right direction. Thnx!
PJ
the reverse algorithm should exactly be the opposite.
Maybe the reverse algorithm might be missing this on
certain instances. I don't know what algorithm you are using.
\But sometimes even I used to face a similar problem,
This used to happen when the algorithm changes your
text to non-printable characters usually I think which are available at the extrems i.e. ASCII - 250 to 255
etc. I am not sure but hope this is of some help to you.
Also, check with the SQL since if you are using varchar or text fields than maybe it may not accept certain
characters which are produced by the algorithm !!
Thism ight be the second reason.
Jatin
Is there a way to limit the chars that the algorithm can use? I know that certain chars going into SQL will either be ignored or you get an error. I think that's my biggest problem, chars not being entered or retreived from SQL correctly.
Do certain algorithms use different chars, and if so which one would be best to use to put the encrypted strings in SQL to be easily stored and pulled?
I'm using DES/ECB/PKCS5Padding currently.
You could always just hash (SHA, MD5, etc) the user's password, and store the base-64 encoded hash in the database. Then, to log the user in, simply hash the user's given password and compare it to the stored password hash in the database. That way, you never have to decrypt the user's password. BTW, unless you want to always use the same hashing algorithm, you'll probably want to store the hashing algorithm identifier along with the hash.
I think it ends up a little more secure that way -- user's passwords are never know to anyone but the user that way.
HTH,
Matthew
Hi folks,
I am trying to do the same; but am new to cryptography. Is it possible for you to send me your source code which does the encryption and stores it in the DB and then retrieves it and decrypts it back. If you could do this it will be very well appretiated.
> Hey folks!
>
> I'm trying to encrypt a password to be put into a SQL
> database and then be decrypted when I pull it out to
> log a user in. Currently I can encrypt and store the
> password fine, but it's the grabbing and decrypting
> that is giving me troubles.
>
> Sometimes I do get the correct string back from the
> decrypted database string, but not very often. The
> main error I get is BadPaddingException, which I've
> read in the forum is something to do with key/string
> descrepancies. I sometimes get a
> IllegalBlockSizeException as well.
>
> When I look at the ASCII bytes stored in the database
> they are different from what is shown when I print
> them out on the screen using IE5.5.
>
> I'm wondering if anyone out there has run into similar
> problems and overcame, or could help me along in the
> right direction. Thnx!
>
> PJ
What is the datatype of the column you are storing your encrypted text in?
What you need to do is a combination of what has been said here. Let's say you are working with a MS SQL Server, encrypting with 3DES. You have your key located somewhere on the system and use that (or something else that is specific to that record).
1.) In your app, encrypt the text
2.) Base64 Encode it so you can shove it in the database (I have also put this as RAW bytes in an Oracle DB)
3.) make sure, when you are testing, that you check the length of the Base64 Encrypted Text you put in the database. SQL Server might add on extra characters to fill the field. i.e. if you are storing it in a varchar(250) field and you only fill 50 chars with your encrypted password, SQL Server might pad it with the extra 200. This will mess with your padding and throw an exception during the decryption process. I think I got around this with a simple TRIM statement when retrieving.
4.) Retrieve the text with a SQL statement
5.) Base64 Decode the text to get a byte array
6.) Use the decryption algorithm with your original key on the byte array.
I think that's it. Very quick. Low overhead on the server. Optimally, you would want to clear this from memory...blah blah blah....I could go on ;-p
I have a small API I've written for this using 3DES that has been working great ever since JCE 1.0. All I have to do is keygen a new key whenever I want to use it again.
Hope this helps,
RG
If SQL Server might add extra bytes for filler, how do you go about using only the data that is needed for the decryption process?
