passwords – Java code for Pass Encryption / Decribtion

Asking someone to write code for you is out of reach for this site. The crypto Java API is quite well documented and if you want help on any aspect of it, ask a new question about it (here, or possibly on StackOverflow). However, we can give you advice, depending on your needs. This answer will be a little generic since you have not given much information.

First, a general advice: if possible, passwords should not be stored in plain text either. or under reversible encryption. There are some obvious exceptions, such as password management utilities, but these are written by, or at least in collaboration with, security experts. Since you do not belong to it, the first question to ask yourself is: do you really need to be able to store and decrypt the password?

In addition, the general problem with any system of this type is "Where do you get the decryption key"? A key hard-coded in the application or stored in plain text on the file system does not offer any real additional security beyond simply storing the password (or any secret) in plain text; an attacker who can access the password file can also access the key file (or extract the key from the binary file), and use this key to decrypt the password, as your application would do.

Here are some examples of scenarios (some overlapping):

  1. You build an authentication system in which users or other programs must prove their identity by sending you a password. For something like this, you should use a strong password hash algorithm, such as argon2 (as indicated by @Natanael in the comments), and not store the password under reversible encryption.
  2. You build a client application and you do not want the user to type their password each time. The best option here is to store a long-running session token (or a refresh token that can be used to renew the session token), rather than storing the password itself. In other words, do not store the password, store what you get from the server when you provide the password. This token is unique for your client (application) on this computer for this user of this service. It is therefore best to store the password (the same for this user on this service, on any client and on any computer), but you will probably want to store it safely in any way (see below).
  3. You create an automated service that must be able to authenticate even if no user is available to enter a password at a given time. If you are absolutely certain of the need to do so, keep reading.
  4. You store a secret value (possibly a password but, hopefully, a session token or similar) and need to recover it without user interaction. First, see if you can use a platform-specific secret storage system. Many platforms provide a way to do this, such as Keychain under MacOS or Credential Manager on Windows (access to these services from Java can be tricky unless some n & # 39; Has already written a library for the native code interface). There are also secret storage systems available on many cloud platforms, such as the AWS Key Management Service. If this is not an option for any reason, you will need the key to be injected into the program environment at startup, for example as an environment variable or from another service. Of course, this only moves the "Where do I put it?" question a level, but the environment you are in contains a provision for secret storage even if you can not access it directly from your code.
  5. You are looking to decipher a secret (possibly a password, but probably not) with the help of a key or password provided by a user. If the user directly provides the key (for example, it is in a file on a USB key), just read it in memory long enough to decipher the secret and store it in memory. If the user provides a password, run the password via a strong password hash / key derivation function (get parameters, such as salt, in a file, they are not secret ) to produce a key (save the key and the password itself only in memory and for as long as necessary) and use the key as described above.

You may not be able to protect the secret significantly because there is nowhere to store the key. In this case, you're out of luck and you have to rethink your system or accept the risks. You can try to store the key in a file combined with another key or a hard-coded XOR mask in the binary file, then obscure the binary file to slow down the reverse engineering attempts, but this n & rsquo; Is not really a security, nor is a retarder a wall. (Do not just use an obscured key in the binary because you can not change the key without updating the entire program.)