0

I want to obfuscate(*) some passwords to hide them in Java source code.

Discovering jasypt I thought I encrypt the password text beforehand and then decrypt in the source code from the remembered seed + encrypted password. However, the encryption process does not seem to be reproducible: When generating an encrypted password text with

BasicTextEncryptor bte = new BasicTextEncryptor();
bte.setPassword("something"); // the "seed"
String ep = bte.encrypt("mypasswordtext")

I get in ep always different encrypted passwords back every time I run it: For example Zx5RdBLxIB1sPxG7Os3/G4aqqfy59l8n, v3-D3AZWJAybdqWac9FsjdLgMqkAS9vS or ghsD3wZwJAwjk9ghqwFLwqwgMqkwS9vS.

How can I make the encryption reproducible, so that I can use the seed plus encrypted string to generate the real password?

(*) I use "obfuscate", because I know that this isn't a secure way to hide a password at all, but at least it helps that people cannot spot the passwords just by glaning at the source code, while keeping it all contained in the source code file.

halloleo
  • 9,216
  • 13
  • 64
  • 122
  • 1
    How about the decrypted password? does it matter if the encrypted password is different each time if the decypted password is what you expect? (I suspect some kind of random padding....) – piet.t Aug 17 '17 at 05:55
  • Have you tried to _decrypt_ the encrypted strings with the key to see if you get back the original password? – Jim Garrison Aug 17 '17 at 05:56
  • This is security property. I see no reason why you would want deterministic encryption in your special case since you want to decrypt this password. – Artjom B. Aug 17 '17 at 20:08

1 Answers1

3

The BasicTextEncryptor will generate a random salt every time you perform an encryption and include it in the output, as you can see here: http://www.jasypt.org/api/jasypt/1.9.0/org/jasypt/encryption/pbe/StandardPBEStringEncryptor.html#encrypt(java.lang.String). Decryption should still work even though the ciphertexts are not the same.

If you wanted to produce the same result every time, you'd have to directly set up and configure a StandardPBEStringEncryptor with a non-random salt generator.

However, it would not be good practice to do either of these things, as you mention at the end of your post. If you're working on a "real-world" application, you should avoid storing these secrets in the source code at all.

jamchamb
  • 422
  • 3
  • 8
  • Thanks jamchamb! You are right decryption works with all of the different encrypted passwords! I was under the misconception that the encryption/decryption is a one-to-one mapping, but it is not. (Side note: That is probably the/a reason why the encrypted string is significant longer than the original text. – halloleo Aug 18 '17 at 03:59