Encrypt sensitive data locally

Question

Encrypt sensitive data locally

Navigation

#1 by (1 votes)
#2 by (1 votes)
#3 by (0 votes)
#4 by (0 votes)

3

I have to keep a username and password in local. I know it is not recommended and that it can be dangerous but there is another validation data that comes from the user.

After the user and password use them to make a call to an API-REST to get some statistical data, this API-REST knows nothing about encryption; the call would be of type obntenerEstadistica(admin,12345);

How can you encrypt a user and password stored in local so that it is difficult to access them and send them to the API-REST in the safest way possible?

android android-studio

asked by JoCuTo 14.07.2017 в 12:25

source

4 answers

1

You have to perform a conversion of the_password to SHA512, MD5 or another cryptographic algorithm (I recommend SHA512). All programming languages (at least the known ones) have a function to do this (or a library that adds the function).

Once you convert (ie, you enter abc.123 and the conversion gives you CF2407464CD2B6F80E03B88C90DE7215F1D50AF706E6688F4A5213FEDF517B265E0D6783C4B89D3366557D2C7110872645BCAF5FE8911ED24BE2B70E84261740 you enter this information in your file, using the format you like the most Example:

admin:CF2407464CD2B6F80E03B88C90DE7215F1D50AF706E6688F4A5213FEDF517B265E0D6783C4B89D3366557D2C7110872645BCAF5FE8911ED24BE2B70E84261740
manolo:8BC21C6948CDD3BD727E147FA850021126FF93A5DAB701A9E386EEB3849BE8E4A7296497F3BB99EC7113695D5FA8EF69B89D393FBED633C2FC8DB94D8E9378FA
julio:0C0173A1804AED151A95FBC024395DC46D08D127B8D030A81B7D7EC277A04E3CD20126CA57EFF0804BEB705191E49AA7ABD316F6B57A54617D39CFA65FE052EA

In case someone obtains your file, only the user will see: hash (hash = result of the conversion of a string to SHA512, SHA2, MD5 ...)

With the hash you can not do anything, since 'you can not' revert the process, that is, you can convert abc.123 in your hash, but the hash can not be converted to abc.123.

Maybe you have the doubt of how users authenticate, what you do (that is, when you want to check if the password is correct), is to receive the password from the user 'abc.123', turn it into SHA512 , MD5, etc ... (what you have chosen) and verify it with the file, if the hashes match, the password is correct.

You can perform the same process with the username.

answered by 14.07.2017 в 14:50

0

If you do not want the user and password to be seen as "letters" if you save it in a file or something, what you could do is convert them to base 64.

From a user like: "user" would be something like "dXN1YXJpbw =="

For this you can use:

public static string ToBase64(string cadena) 
{
    var textBytes= System.Text.Encoding.UTF8.GetBytes(cadena);
    return System.Convert.ToBase64String(textBytes);
}

public static string FromBase64(string cadenaCodificada) 
{
    var base64EncodedBytes = 
    System.Convert.FromBase64String(base64EncodedData);
    return System.Text.Encoding.UTF8.GetString(base64EncodedBytes);
}

answered by 14.07.2017 в 12:33

0

You can save the data to MD5 with the following function:

public static final String md5(final String s) {
    final String MD5 = "MD5";
    try {
        // Create MD5 Hash
        MessageDigest digest = MessageDigest
                .getInstance(MD5);
        digest.update(s.getBytes());
        byte messageDigest[] = digest.digest();

        // Create Hex String
        StringBuilder hexString = new StringBuilder();
        for (byte aMessageDigest : messageDigest) {
            String h = Integer.toHexString(0xFF & aMessageDigest);
            while (h.length() < 2)
                h = "0" + h;
            hexString.append(h);
        }
        return hexString.toString();

    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
    return "";
}

When encrypting MD5 is the best there is, although you can not decrypt it, you have to compare the encoded data and if the 2 schemas match the same data (there are very few matches).

answered by 14.07.2017 в 12:41

Error in notifications android studio does not raise activity show the last data db laravel

score 1 · Accepted Answer

I recommend that you use SHA512, MD5 is a less secure algorithm, since it is possible that there are coincidences between different Strings.

This method has to pass two Strings, the first is the password, user or whatever you want to encrypt. The second is a string to make the encryption method more random.

import java.security.MessageDigest; 
import java.security.NoSuchAlgorithmException;


public String get_SHA_512_SecurePassword(String passwordToHash, String salt){ 

    String generatedPassword = null;

    try {
         MessageDigest md = MessageDigest.getInstance("SHA-512");
         md.update(salt.getBytes("UTF-8"));
         byte[] bytes = md.digest(passwordToHash.getBytes("UTF-8"));
         StringBuilder sb = new StringBuilder();
         for(int i=0; i< bytes.length ;i++){
            sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
         }
         generatedPassword = sb.toString();
        } 
       catch (NoSuchAlgorithmException e){
        e.printStackTrace();
       }
    return generatedPassword; 
}

Then, as you have been told in other solutions, you should only compare it with what is written in that file. Logically, in the file the data must be already encrypted, but anyone could read it. When you receive the data entered by the user, you encrypt and compare it with what is written in the file.

Source: hash a password with sha 512 in java

EDITED

In case you have to encrypt and decrypt, use the class Cipher . This class allows you cryptographic encryption for encryption and decryption.

An example:

public static SecretKey generateKey() 
    throws NoSuchAlgorithmException, InvalidKeySpecException 
{ 
    return secret = new SecretKeySpec(password.getBytes(), "AES"); 
}

public static byte[] encryptMsg(String message, SecretKey secret)
    throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidParameterSpecException, IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException 
{ 
   /* Encrypt the message. */
   Cipher cipher = null; 
   cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
   cipher.init(Cipher.ENCRYPT_MODE, secret); 
   byte[] cipherText = cipher.doFinal(message.getBytes("UTF-8")); 
   return cipherText; 
}

public static String decryptMsg(byte[] cipherText, SecretKey secret) 
    throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidParameterSpecException, InvalidAlgorithmParameterException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException 
{
    /* Decrypt the message, given derived encContentValues and initialization vector. */
    Cipher cipher = null;
    cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
    cipher.init(Cipher.DECRYPT_MODE, secret); 
    String decryptString = new String(cipher.doFinal(cipherText), "UTF-8");
    return decryptString; 
}

To encrypt:

SecretKey secret = generateKey();
encryptMsg(String toEncrypt, secret))

To decrypt:

decryptMsg(byte[] toDecrypt, secret))

You just have to save the encrypted data in a file and decrypt it before sending it. Although keep in mind that from Android N this class will be obsolete.

Sources: easy way to encrypt decrypt , < a href="https://android-developers.googleblog.com/2016/06/security-crypto-provider-deprecated-in.htm"> security crypto provider deprecated