I am trying to decrypt a string which is encrypted in front end(angualrjs) while calling a rest service in java using angular js. I am able to encrypt the string using $crypto.encrypt ( using CryptoJS).I am passing encrypted value as argument using $http.get method.
But I am not familiar on how to decrypt the value in java.
encryption key in my config:
app.config(['$cryptoProvider', function($cryptoProvider){
$cryptoProvider.setCryptographyKey('ABCD123');
}]);
Thanks in Advance.
Seeing that you're using CryptoJS, there is already an answer posted.
How to decrypt an encrypted AES-256 string from CryptoJS using Java?
However, if you're using SSL/TLS, this encryption is not very effective. Because, even as the password is sent encrypted, there is need to store the password in clear text on the server-side for this purpose - which is not advisable. It is better to securely hash your passwords for authentication.
Related
I am using angular for login & signup and encrypting the password with the crypto-js and the password is also getting encrypted from backend side(here the encrypted key of crypto-js is getting encrypted by backend(Java) and stored in database).
Now the question is how i match the password for login(because whenever i am logging in it's showing httpStatus= BAD_REQUEST, description= password not matched) ?
is there any frontend angular method to decrypt the string of backend ?
or any other solutions ?
I have tried multiple ways to encrypt the password same as available in the backend, but failed !
The encrypted password should be non-decryptable.
What usually happens is that the passwords get hashed. Of course you need to use the same algorithm as you did when setting the password to ensure that the hash values are the same.
See also How can I hash a password in Java?
I want to build a login application, that has a client for username and password input, as well as a server, which then recieves the username and the password.
The server should then check, wheather the password it recieved matches the already stored hash, or not.
I thought it would be smart not to send the password unencrypted (just in a String) from the client to the server, so I already encrypted it on the client side with BCrypt.
But now i have two hashes on the server-side, but BCrypt only offers the methode to compare a plaintext with a hash, not a hash with a hash.
Should I now send the password in plaintext to the server or is there a way to compare two hashes?
Thanks for your help
The simplest way would be to use TLS https://en.wikipedia.org/wiki/Transport_Layer_Security
"Challenge-Response" is the term you should google for.
The Principle:
On server side you have stored a hashed (salted) password and the salt.
The client sends first the login name.
The server looks up the salt of the login in the database and sends this to the client, together with a random string (That's the Challenge).
The Client has now to calculate an encrypted password in the following way: Concatenate login password with salt and hash it. Concatenate the result with the random string from the challenge and hash it. Send the result to the server.
The server now concatenates the hashed password (stored in user database) with the random string sent together with the Challenge and calculates the hash. The result must be exactly the same as the result recieved from the client.
You can fetch hashed value from database and compare it with sent value
I want to use an Android app to send an encrypted password to a PHP file on the server that stores it. This also works so far.
At login I send the encrypted password to the server again and the PHP file should find out if the password is correct.
But if I now
if (password_verify($userPassword, $hash)) {
}
then the function requires the real password and not an encrypted one. How can I now compare encrypted with encrypted ?
Or do I just have to send the visible password to an SSL server and it's still secure ?
Does it really matter what the $userPassword actually is? This could be encrypted original as long as that is what you stored the first time...
So just send the encrypted version, hash it (in PHP), store it (in PHP) and later verify that (password_verify($inAndroidHashedPass, $localllyStoredHashFromPHP)) ?
I have a Spring-Boot application with MongoDB. I want to register the client using OAuth2.0 strategy and store client-id and client secret key in database. I am able to generate the access token by using some dummy client and secret key from the below url: http://websystique.com/spring-security/secure-spring-rest-api-using-oauth2/
I want to know how to generate the client id and secret key in my java code. Any help is appreciated.
Client ID and secret are generated by service providers to let the developers register their application and access their API's.
There are many ways of generating Client_id and Client secret.It depends on your choice.
Client_id is a public identifier for apps.It should be unique and not easily guessable . So you could use like a 32-character hex string , Guid , Guid + systemTime ,also you can hash it , encrypt it or anything else you want to make it unique identifier. (you would find java code easily for the same)
Client_secret is a secret known only to the application and the
authorization server.So you could use a cryptographically-secure library to generate a 256-bit value and converting it to a hexadecimal representation.
You should avoid using common UUID libraries.
Also you should not store the secret in plain text, instead only store an encrypted or hashed version, to help reduce the likelihood of the secret leaking.
Here are some examples of client ID from services that support Oauth:
Foursquare: ZYDPLLBWSK3MVQJSIYRF1OR2JXCY0X2C5UJ2QAR2MAAIT5Q
Github: 6779ef20e75817b79602
Google: 292085223830.apps.googleusercontent.com
Instagram: f2a1ed52710d4533bde25be6da03b6e3
I've already implemented RSA encryption in javascrypt and RSA decryption in java which is just a simple process. But the problem I've to encrypt a large amount of data which is not possible for RSA at a single go, either I should have to split the data to be encrypted (which will complicate the process) or use AES with RSA encryption and decryption. So I opted to go for AES with RSA encryption and decryption.
Here is my javascript code which use Crypto-js
<script src="rollups/aes.js"></script>
<script src="components/enc-base64-min.js"></script>
<script type="text/javascript" src="rollups/jquery-min.js"></script>
<script type="text/javascript">
var secretPass = CryptoJS.lib.WordArray.random(16);
var message = "<username>user</username><password>password</password>";
var encrypted = CryptoJS.AES.encrypt(message, CryptoJS.enc.Hex.stringify(secretPass));
var encode = encrypted.ciphertext.toString(CryptoJS.enc.Base64);
var secretPasses = CryptoJS.enc.Hex.stringify(secretPass);
console.log('encrypted: ',encrypted);
console.log('secretPasses: ',secretPasses);
console.log('encode: ',encode);
$.ajax({
url: 'encryption',
type: 'POST',
data: {
encode: encode,
secretPasses: secretPasses
},
success: function(data) {
console.log('success');
},
failure: function(data) {
console.log('failure');
}
});
</script>
Output in Jsp
encrypted: U2FsdGVkX192e9xprFPyuWu3Rxv2+CDMXiu2/TtNDwExvo4Dstx1mbqCHgds27Ng7zhYayVLjifeG15cuHI7hHfmEWvVeo7DDmOUsZmQAEM=
secretPasses: 23f96d28ae9f9c1c8c37050f79acdb37
encode: a7dHG/b4IMxeK7b9O00PATG+jgOy3HWZuoIeB2zbs2DvOFhrJUuOJ94bXly4cjuEd+YRa9V6jsMOY5SxmZAAQw==
In my post method of servlet, I used sysout to check the received data is same or not. The secret pass I'm getting is the same, encoded data is also the same. The problem is, encode data changed its form in the jsp itself while doing the conversion from encrypted to encode. I tried to pass "encrypted" directly via ajax, but it's pointing error, if I put "alert(typepof encrypted);", it alerts as "Object". How can I pass the original encrypted data to servlet?
System.out.println("secretpasses: "+request.getParameter("secretPasses"));
System.out.println("encode: "+request.getParameter("encode"));
Output in Java :
secretpasses: 23f96d28ae9f9c1c8c37050f79acdb37
encode: a7dHG/b4IMxeK7b9O00PATG+jgOy3HWZuoIeB2zbs2DvOFhrJUuOJ94bXly4cjuEd+YRa9V6jsMOY5SxmZAAQw==
Also it would be welcome if I can get some examples for AES encryption in Javascript and decryption in Java. I notified that it's AES with RSA encryption and decryption, but it's not inserted into current code. If I can get the AES part working, I can do RSA appropriately by encrypting the AEs key.
You can't directly pass encrypted to the backend, because it is an object which contains the ciphertext and some additional important data in the native CryptoJS format. There is no easy way to represent this object in Java without some work.
You can however produce a string from this object by calling the toString() function on it. This will give you an OpenSSL formatted string which can be sent via ajax. While you could certainly parse this string in Java to get the necessary information to decrypt it, it might be easier directly passing the ciphertext and salt parameters to the backend.
See here how they can be used for decryption. Note that the salt and password derives not only the key, but also the IV.
The other possibility is to use a better password derivation by leveraging the PBKDF2 in CryptoJS and Java. See here for some examples of that.