Hi Jeetandra,
While Craig's is obviously the right general answer, there's another if
portability is not the primary goal. In the case of an OS that provides a
secure signon system ( as the AS/400 does ) and provides an easy java way to
validate users and passwords ( as the AS/400 does, ) why not use the system
mechanism? Authority worries can be handled by tossing these into a group
with no authority. In this particular area, I might lean towards this
solution anyway, rather than reinvent that wheel along with associated
maintenance, protections, etc.
Joe Sam
Joe Sam Shirah
Autumn Software
What you don't know DOES hurt you...and your business
___________________________________________
-----Original Message-----
From: Craig R. McClanahan <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Wednesday, November 17, 1999 9:30 PM
Subject: Re: Please advice: Encrypting passwords and servlets
>Jeetandra Mahtani wrote:
>
>> Hello:
>> I have a registration form that has a field for a userid and password.
These two values are
>> stored in a table on a AS/400. Is it possible to store the passwords in
encrypted format?
>> If I need to let the user know his password, is it possible to unencrypt
it? I am pretty
>> close to the end of a project and need to solve this quickly. I would
greatly appreciate it
>> if someone would let me know soon.
>> Thank you,
>> J
>>
>
>It certainly is possible to store the passwords in an encrypted (actually,
encoded) format in
>the database. Among many other places, Unix systems use this to store
passwords into the
>/etc/passwd or /etc/shadow files.
>
>The basic idea is that you utilize a one-way hashing function (see below
for some
>possibilities) that you call on the cleartext password before you store it.
As the name
>implies, it is supposed to be "computationally infeasible" to go from the
encoded version back
>to the cleartext version. (That's why, if you forget your password on a
Unix system, all the
>sysadmin can do is set a new one -- there's no way he or she can retrieve
the current one.)
>
>So how do you validate an incoming password? Pretty simple -- encode
whatever the user
>specified using the same one-way function, and compare the results. If
they match, byte for
>byte, then you assume that the user knew the correct password and you let
them in.
>
>Based on this, it's pretty obvious that a good hashing algorithm should
minimize the chance
>that two different words hash to the same value. Reasonable choices
include the crypt()
>function in C (if your OS supports it), or one of the digest functions
supported by the Java
>security library. I've had pretty good luck using the
java.security.MessageDigest class, with
>the MD5 algorithm, for this purpose. The only slightly messy part is you
get back a byte array
>(non-ASCII) that you need to store in a "raw" column in your database,
unless you do something
>like convert it to hexadecimal so you can store it in a character field.
>
>Craig McClanahan
>
>
>
>>
>> =====
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
