cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Malcolm Edgar <malcolm.ed...@gmail.com>
Subject Re: How to work on encryption/decryption
Date Tue, 16 Oct 2012 09:49:39 GMT
Please also look at Apache Shiro, it provides very nice wrappers around JCE and incorporates
crypto best practices.

Regards Malcolm Edgar

Sent from my iPad

On 06/10/2012, at 1:20 AM, Mike Kienenberger <mkienenb@gmail.com> wrote:

> I have always done my encryption at the application level.
> 
> I think there are a number of reasons why this makes the most sense.
> 
> Here are some tips from my past experience:
> 
> 1) clump multiple kinds of data together, and/or randomly add data.
> Encrypting a single field value by itself generally doesn't provide
> enough variation to be secure.
> 
> For example, rather than encrypting a credit card number in one place
> and an expiration date in another, encrypt all logical fields into one
> physical field.   I actually go a step further and encrypt all
> credit-card-related sensitive information which yields a long string.
>  You can then randomly add data to the beginning, end, and middle of
> your data string to further secure it either before encrypting, after
> encrypting, or both.
> 
> 2) Prefix your encrypted data string with versioning information.
> At some point, you are going to need to change your encryption.   It's
> a lot easier to do this, if which algorithm to use is part of the
> data.    You can then provide backwards compatibility for older data
> until such time, if ever, that you re-encrypt it using a newer
> algorithm.   You might need to do this because of a defect in your
> algorithm, because you've added new data fields, or because you need
> to replace your encryption key.
> 
> 3) Remember that encrypted fields cannot be searched or sorted in the
> database, and that providing a search index of any kind will weaken
> your encryption.   This is the tradeoff of encrypting data.
> 
> 4) Remember to only work with the decrypted data as character arrays,
> not as Strings, once you've pulled it out, to avoid it sticking around
> in memory.
> 
> Here's a broad overview of the important methods you'd want to
> implement.  It will take some work to provide your own implementation,
> and for obvious reasons, I will not provide mine, but it will give you
> a very flexible system when you are finished.
> package utilities.encryption;
> 
> public class DataBlockEncryptionManager {
>    protected String findVersion(String encryptedData)
>        throws EncryptionException
>    {
>    }
> 
>    /**
>     * Find and decrypt item in encrypted data block.
>     *
>     * @param encryptedData
>     * @param itemIndex from 0 to last item
>     * @return char array containing decrypted item, may be null if no
> data in block.
>     * @throws EncryptionException
>     */
>    public char[] decryptDataBlock(String encryptedData, int itemIndex)
>        throws EncryptionException
>    {
>    }
> 
>    /**
>     * encrypt item in encrypted data block.
>     *
>     * @param encryptedData String containing previous encrypted block,
> null to create new block
>     * @param itemIndex from 0 to last item of item to encrypt
>     * @param newValue to add to block
>     * @return String containing encrypted block
>     * @throws EncryptionException
>     */
>    public String encryptDataBlock(String encryptedData, int itemIndex,
> char[] newValue)
>        throws EncryptionException
>    {
>    }
> }
> 
> 
> And write some tests to prove that these work for all kinds of
> different situations.  Something like permutations of the following:
> 
>    public void test_encryptDataBlockThenDecrypt() throws EncryptionException
>    {
>        String encryptedData = null;
> 
>        char[] value1 = "The quick brown fox jumped".toCharArray();
>        String encryptedData2 = instance.encryptDataBlock(encryptedData,
> 0, value1);
>        
>        char[] value2 = "over the".toCharArray();
>        encryptedData2 = instance.encryptDataBlock(encryptedData2, 1, value2);
>        
>        char[] value3 = "lazy dog".toCharArray();
>        encryptedData2 = instance.encryptDataBlock(encryptedData2, 2, value3);
>        
>        char[] value1D = instance.decryptDataBlock(encryptedData2, 0);
>        ArrayAssert.assertEquals(value1, value1D);
>        
>        char[] value2D = instance.decryptDataBlock(encryptedData2, 1);
>        ArrayAssert.assertEquals(value2, value2D);
>        
>        char[] value3D = instance.decryptDataBlock(encryptedData2, 2);
>        ArrayAssert.assertEquals(value3, value3D);
>    }
> 
> 
> 
> 
> On Fri, Oct 5, 2012 at 10:37 AM, kadali narendra
> <narendra_eng@hotmail.com> wrote:
>> 
>> Hi All,
>> 
>> I would like to know is there any way Cayenne supports MySQL DB encryption/decryption
seamlessly. Or else is there any third party libraries like Jasypt is available, which we
can use for encryption purpose.
>> 
>> I know Jasypt can be integrated with Hibernate for encrypting/decrypting the data
stored in db thus providing db independence. So I don't have to worry about on which db vendor
I am using when deploying my application. I am looking similar kind of libraries which is
available for Cayenne.
>> 
>> If any one happens to know such libraries please let me know. And also please share
your thoughts on encryption process on db + using cayenne.
>> 
>> Thanks in advance for your help! :)
>> 
>> - Naren
>> 

Mime
View raw message