Storing passwords of external systems in encrypted form in the J2EE application

Question

Storing passwords of external systems in encrypted form in the J2EE application

We have a J2EE application that interacts with several external systems. Each external system wants our application to be authenticated by username / password. Therefore, when we talk with an external system, we need to send a username / password. The problem is saving these passwords. We want to keep these passwords safe. Obviously, we cannot use MD5 to hash the password, because we need to send the password to an external system. Therefore, we need to encrypt the password.

Where to store the encrypted password. Database?
Where to store the encryption key?

What is the best practice for this particular problem?

+4

java-ee passwords encryption

Parthasarathy kesavaraj Apr 7 '14 at 8:00

source share

4 answers

Harold ship · Answer 1 · 2015-03-18T14:18:26+0000

I am not an expert, but I also have similar requirements. This article from security.stackexchange.com discusses the issue. The accepted answer provides alternatives. Shortly speaking:

store them in the file system, which makes them vulnerable if someone gains access to the file system.
force the administrator to enter them at boot time

Jose Pablo · Answer 2 · 2015-03-19T14:25:38+0000

.
AES-CBC, , IV, IV , IV . / -.

:

, .

Raed CHAMMAM · Answer 3 · 2015-03-19T16:32:24+0000

gpg / . , ( ), , , - , , .

divanov · Answer 4 · 2015-03-19T20:52:43+0000

- . -, , . . :

, .
.
.
( ), .
The server combines the verifier with the client credentials to obtain a common shared key.
The client combines the password with the server credentials to obtain a common shared key.
If the keys are identical, authentication was successful.

Since the password is not stored on the server and is not sent by the client, it cannot be stolen.

Storing passwords of external systems in encrypted form in the J2EE application

More articles: