Key Storage for EncryptionDecryption

leewm · July 28, 2005, 6:41am

Hi All,

I am using wM 6.1. Our company policy doesnt not allow passwords to be stored in plaintext, so I am looking at performing a Triple DES encryption on the password using the Java Cryptography Extension and writing it into a database table.

My question lies in how has people been storing the key, and the generating of the key. We do not want to store the key as plaintext (hardcoded inside a flow service).

Any ideas would be appreciated.
ML

nsrinivas · July 28, 2005, 9:12am

Dear lee

You can use the inbuilt services provided by webMethods to encode or decode passwords (pub.string.base64Encode and pub.string.base64Decode) or you can use your own encryption/decryption logic .
Encrypted passwords can be stored in a file or in a database .When you want to login to a particular system .You can read the corresponding password from the file/database decrypt them and pass it to the service as a runtime parameter.

HTH
Srini

Ramesh_Sambandan · July 28, 2005, 6:21pm

Lee,

Here is the code using which you can encode your password.

IDataCursor idc = pipeline.getCursor();
try{
java.security.MessageDigest md = java.security.MessageDigest.getInstance(“MD5”);
String s = (String)IDataUtil.getString(idc,“yourPassword”);
byte b = md.digest(s.getBytes());
String hash = new String(com.wm.util.Base64.encode(b));
IDataUtil.put(idc,“hash”,hash);
}catch(Exception e){
throw new ServiceException(e);
}

then you can store this hash value in the Database.

ramesh.

taro1 · August 1, 2005, 11:35pm

On a similar note, is there a way to store the WM server key (SSL key)in an encrypted fashion and decrypt it on the fly for the HTTPS/SSL listner?
I was thinking may be we can write a startup service that would get the private key before the start of HTTPS listener start and.

~tS

wMusers.Com1 · August 2, 2005, 6:37pm

Base64 encoding something is not encryption. Since anyone can decode the string, it is no more secure than using plain text.

Storing an MD5 or SHA-1 hash of some string value is certainly useful. Rather than comparing the passwords themselves, you recompute the one-way hash or digest and compare the digests using the MessageDigest.isEqual() method. One-way hash values can’t be decrypted, but are sufficient for storing passwords.

The attached java service will compare two SHA-1 message digests. This should also work for MD5 digests if you change the call to getInstance appropriately.

Mark

CompareSHA1MessageDigests java service
compareSHA1MessageDigests.java (1.2 k)

gupta_r.17495 · August 2, 2005, 6:46pm

Thanks Mark,it helps everyone…