Reputation: 13
User Authentication in Java using 128-bit AES encryption in CBC mode with PKCS #5 padding
I am using 128-bit AES encryption in CBC mode with PKCS #5 padding to save passwords to my database. However, when I try to log in, the system tells me the password is invalid even though I use the correct password.
On my UserSetup class, these are my codes for encrypting the passwords and saving them to my database:
try {
String input = simple_text.getText();
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
byte[] iv = new byte[cipher.getBlockSize()];
new SecureRandom().nextBytes(iv);
IvParameterSpec ivSpec = new IvParameterSpec(iv);
MessageDigest digest = MessageDigest.getInstance("SHA-256");
digest.update(keyString.getBytes());
byte[] key = new byte[16];
System.arraycopy(digest.digest(), 0, key, 0, key.length);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
// encrypt
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
byte[] encrypted = cipher.doFinal(input.getBytes("UTF-8"));
System.out.println("encrypted: " + new String(encrypted));
encrypt_text .setText(new String(encrypted));
} catch (Exception e2) {
JOptionPane.showMessageDialog(null, e2);
}
try {
String sql = "INSERT INTO user(username,password) VALUES(?,?) ON DUPLICATE KEY UPDATE username=VALUES(username),password=VALUES(password)";
pst=conn.prepareStatement(sql);
pst.setString(1, fLoginName.getText());
pst.setString(2, encrypt_text.getText());
pst.execute();
JOptionPane.showMessageDialog(null, "saved");
} catch (Exception e2) {
JOptionPane.showMessageDialog(null, e2);
}
On my Login Class, I have the following codes:
String sql ="select * from user where username=? and password=?";
if(loginNameField.getText().equals("me") && passwordField.getText().equals("me")){
frmLoginWindow.dispose();
new GridMain().setVisible(true);
}else{
try{
pst=conn.prepareStatement(sql);
pst.setString(1,loginNameField.getText());
pst.setString(2,passwordField.getText());
rs=pst.executeQuery();
if(rs.next()){
//JOptionPane.showMessageDialog(null, "Username and Password is correct ");
rs.close();
pst.close();
// close();
frmLoginWindow.dispose();
new GridMain().setVisible(true);
}
else{
JOptionPane.showMessageDialog(null, "Username and Password is not correct");
}
}
catch(Exception e)
{
JOptionPane.showMessageDialog(null, e);
} finally {
try{
rs.close();
pst.close();
}
catch(Exception e) {}
}
}
My encrypted passwords are saving successfully, but I need a way to match my login password with the encrypted passowrd, since AES encryption does not give the same encrypted value even if you encrypt the same password.
Upvotes: 1
Views: 782
Answers (1)
Reputation: 61952
AES is an encryption algorithm. You try to use it as a password hash algorithm. The problem is that encrypting the same thing several times will not yield the same result every time. The initialization vector (IV) introduces randomness into the process so that you will not get the same result twice.
You would need to decrypt the password to check it or switch to a password hashing algorithm such as PBKDF2. Keep in mind that AES produces binary data (byte[]) which you cannot simply convert to String. You need to encode it with something like Base64. This may also be necessary for the output of hashing functions.
Upvotes: 2
Related Questions
- Decrypt Java AES/CBC/PKCS5Padding with CryptoJS
- Java 256-bit AES Password-Based Encryption
- How to generate an AES key with AES/CBC/PKCS5Padding for encrypting and decrypting
- AES-256 Password Based Encryption/Decryption in Java
- Android AES/CBC/PKCS5Padding encryption
- Review of this AES-128 CBC example with password-based encryption
- What is the proper way to perform authenticated encryption in Java?
- PKCS5 or Password Based Encryption (PBE) in JAVA
- AES/CBC/PKCS5Padding issue
- Java encryption by client and decryption by server, using PBKDF2WithHmacSHA1 and AES/CBC/PKCS5Padding