Ozan Manav Ozan Manav - 3 months ago 20
Android Question

Encryption&Decryption in Login System

I have a login system , but i want to encrypt password when sign up this system and write encrypted password to database , then when this user login again program receive encrypted pass from database decrypt match entered login password and go succesfull login.

my encrypted password writed succesfully to database.
But when i receive from database not matched decrypted pass = entered password when login.

my codes :

SignUpactivity.java ( scoped encryption )

String unsafetypass=args[1];
Encryption encryption = Encryption.getDefault("Key", "Value", new byte[16]);
String pass2 = encryption.encryptOrNull(unsafetypass);


Here pass2 is encrypted password writed in database no problem.

But here i must select from database encrypted password its ok i selected. But now i have to decrypt for match to login password.

Problem here :
LoginActivity.java ( scoped decryption )

Encryption encryption = Encryption.getDefault("Key", "Value", new byte[16]);
Password =encryption.decryptOrNull(rs2.getString("Password")); //rs2 is resultset string from database...


Here password not matched with login password.Why ? Maybe it is about Encrytion variable ?

SOLVED ( My solution )
i fixed my problem i dont need to decryption because when enter the login screen password already decrypted i must encrypt it and i have encryted this entered login password and compare with database encryted password when matched result true go login.. I hope helpful for another developers..Thank you for help again.

SOLVED 2 ( Thank you for @LoganRodie )


What is this Encryption class you're using? I cant seem to find it
anywhere...

What may be easier, and even more secure, is using an SHA-256 hash as
"encryption". Simply hash the password, store it in the server, and
when the user tries to log in again, compare the hash stored by the
server to the hash of the password he attempted to use. That way, the
password is never sent through the network, and its almost impossible
to reverse-hash SHA-256! Example for password storage:

MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hash = digest.digest(password.getBytes(StandardCharsets.UTF_8));
Server.write(new String(hash, StandardCharsets.UTF_8);


For password comparison:

MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hash = digest.digest(password.getBytes(StandardCharsets.UTF_8));
passwordHash = Server.readLine();
if((new String(hash, StandardCharsets.UTF_8)).equals(passwordHash))


authentication.success();

Hope this helps!

Answer

What is this Encryption class you're using? I cant seem to find it anywhere...

What may be easier, and even more secure, is using an SHA-256 hash as "encryption". Simply hash the password, store it in the server, and when the user tries to log in again, compare the hash stored by the server to the hash of the password he attempted to use. That way, the password is never sent through the network, and its almost impossible to reverse-hash SHA-256! Example for password storage:

MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hash = digest.digest(password.getBytes(StandardCharsets.UTF_8));
Server.write(new String(hash, StandardCharsets.UTF_8);

For password comparison:

MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hash = digest.digest(password.getBytes(StandardCharsets.UTF_8));
passwordHash = Server.readLine();
if((new String(hash, StandardCharsets.UTF_8)).equals(passwordHash)) authentication.success();

Hope this helps!

Comments