FIPS Compliant Algorithm for Encrypting Passwords using Jasypt in a Property File

Question

My application connects to the database by reading passwords from a property file. Can you suggest a suitable algorithm for encrypting these passwords?

EDIT: I went through a bunch of documents on nist.gov and realized that AES 128 and SHA 256 are compliant. Now, I am considering PBEWITHSHA256AND128BITAES-CBC-BC as the encryption method. Is this method FIPS compliant?

PS: I just want to encrypt the property values, not the whole file.

I would be astonished and amazed if there was any FIPS-compliant algorithm for encrypting passwords. See [tag:password-encryption] for why not. — user207421, Jul 04 '17 at 11:14
FIPS-compliance is pretty pricey. I would be amazed if jasypt would be FIPS-compliant in any way. A JRE on its own is also not FIPS-compliant by default. — Artjom B., Jul 04 '17 at 17:44
@ArtjomB. - I am asking about just the algorithm so kindly be specific. — Piyush Kumar, Jul 05 '17 at 07:34
@Downvoters - Instead of being sarcastic for no reason, if you explain the reason why do you think this is a stupid question, that would be helpful for me for using this platform in a better way. — Piyush Kumar, Jul 05 '17 at 07:36
About your edit: only implementations of specific algorithms can be FIPS-compliant, not the algorithms themselves. — Artjom B., Jul 05 '17 at 18:10
@ArtjomB. - You are right. I realize that now. Thanks for your help. — Piyush Kumar, Aug 22 '17 at 14:55

score -1 · Answer 1 · edited Jul 04 '17 at 12:04

-1

sha-256 is good enough for this task.

MessageDigest md=MessageDigest.getInstance("SHA-256");
md.update(pass.getBytes());
byte byteData[]=md.digest();
StringBuffer sb=new StringBuffer();
for(int i=0;i<byteData.length;i++)
    sb.append(Integer.toString((byteData[i] & 0xFF) + 0x100, 16).substring(1));
BufferedWriter output=new BufferedWriter(new FileWriter("passwords.txt",true));
output.write(userTF.getText()+" "+sb.toString()+"\n");
output.close();

edited Jul 04 '17 at 12:04

jww

97,681
90
411
885

answered Jul 04 '17 at 11:21

rackdevelop247

86
1
10

1

It sounds like the passwords are stored in plain text as name/value pairs in a XML file. I'm guessing the passwords are used later, like an API key or to authorize something. I'm also guessing he/she needs to encrypt the XML property file or certain values in the name/value pairs (but its just a guess). – jww Jul 04 '17 at 12:06
1

Given that jww seems to be correct still it is also important to understand that using SHA-256 vis not sufficient fr password use. It is necessary to use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `password_hash`, `Bcrypt` or similar functions with a CPU utilization of around 100ms duration. The point is to make the attacker spend a lot of time finding passwords by brute force. – zaph Jul 04 '17 at 12:20
@zaph - Can you tell me which is more suitable to my application? PBKDF2 or PBE? I just want to encrypt sensitive property values, not the whole file. – Piyush Kumar Jul 05 '17 at 07:32
1. PBKDF2 creates a secure hashed version of the password suitable for password verification, the original password can not be retrieved so it is more secure, even from server admins. This is the NIST recommended method. – zaph Jul 05 '17 at 13:01
2. PBEWITHSHA256AND128BITAES-CBC-BC is encryption and is not suitable for password verification. The original password can be obtained via decryption, this is not secure or desirable. Use only as a last resort. It is suitable only if the password is needed for forwarding to another system and even then additional security is required. If an attacker gains admin access to the server they will obtain the encryption key and recover by decrypting all the passwords. – zaph Jul 05 '17 at 13:03
@zaph - Thanks a lot. That helped. – Piyush Kumar Aug 22 '17 at 14:56

FIPS Compliant Algorithm for Encrypting Passwords using Jasypt in a Property File

1 Answers1