Nabble - Jasypt - Users

Re: Spring with Jasypt - Decryption not working

2009-11-05T17:07:40Z

No, I'm just using the unsecure password still...

hoffmandirt wrote:

Did you get this working? I am experiencing the same problem.

Re: Spring with Jasypt - Decryption not working

2009-11-05T08:38:17Z

Did you get this working? I am experiencing the same problem.

Re: cannot find my registered string encryptor

2009-10-29T01:12:57Z

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+

Problem fixed... for those who are curious, it looks like the problem is just that my application context files couldn't be loaded when running my JUnit test because they weren't in the classpath.

My solution was to copy the application context file to the same folder as my JUnit test, and then manually set the classpatch to include that file.

Not the most elegant solution, but it does work. Still on the lookout for something that won't force me to copy the applicationContext file.

On Wed, Oct 28, 2009 at 8:12 PM, Stephen Dewey <stepheneliotdewey@...> wrote:

I have looked all over the web but can't seem to find anything addressing a situation like this...

I have a simple column that I am trying to encrypt. I have specified the type as encrypted in the .hbm.xml file associated with the POJO itself, where I provide the name of the registered encryptor in the typedef element.

If I register the encryptor within the code itself (i.e. by executing actual Java code to register the encryptor), everything works and my stuff is saved encrypted.

However, if instead of executing Java code, I simply place a bean in applicationContext.xml (or applicationContext-dao.xml in my case), and simply copy that XML bean in, I get an error "No string encryptor registered for hibernate with name 'jasyptHibernateEncryptor'"

I am following the instructions laid out at:
http://www.jasypt.org/hibernate3.html

There isn't a spelling error or anything. Any idea what I should look for?

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

cannot find my registered string encryptor

2009-10-28T17:12:22Z

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+

I have looked all over the web but can't seem to find anything addressing a situation like this...

I have a simple column that I am trying to encrypt. I have specified the type as encrypted in the .hbm.xml file associated with the POJO itself, where I provide the name of the registered encryptor in the typedef element.

If I register the encryptor within the code itself (i.e. by executing actual Java code to register the encryptor), everything works and my stuff is saved encrypted.

However, if instead of executing Java code, I simply place a bean in applicationContext.xml (or applicationContext-dao.xml in my case), and simply copy that XML bean in, I get an error "No string encryptor registered for hibernate with name 'jasyptHibernateEncryptor'"

I am following the instructions laid out at:
http://www.jasypt.org/hibernate3.html

There isn't a spelling error or anything. Any idea what I should look for?
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

MD5 issue 1: how to increase interations without impact on the existing

2009-10-27T19:05:51Z

Hi ,

I am using jasypt's MD5 for encoding password of user for past few months. I am wondering what is default value for interations. I think if I increase the value of interations,(e.g. may be 10000) it shall be affect my existing application. are there have any advice on it?

Thanks in advance.

How to encrypt/decrypt creditcard numbers in a database?

2009-10-21T23:43:20Z

Hi,

Any one can please give an example with configuration details for encrpting the credit card number in a database and decryting from the database.

Thanks,
Koti

NoClassDefFoundError displayed when running encrypt.sh

2009-10-21T07:57:12Z

I tried to run encrypt.sh file in cygwin. I used the following command

./encrypt.sh input="this is message" password=MY_PASSWORD verbose=false

I am getting the below error message in cygwin. Please let me know the classpath entries to run this file and how i need to set it.

vmuser@vmware01 /tmp/jasypt-1.5/bin
$ ./encrypt.sh input="this is message" password=MY_PASSWORD verbose=false
Exception in thread "main" java.lang.NoClassDefFoundError: org/jasypt/intf/cli/J
asyptPBEStringEncryptionCLI
Caused by: java.lang.ClassNotFoundException: org.jasypt.intf.cli.JasyptPBEString
EncryptionCLI
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
Could not find the main class: org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI.
Program will exit.

Decrypting Jasypt PBE encrypted data in a windows app

2009-10-13T10:12:46Z

The company I work for had a portal written for them that is written in Java. They are using Jasypt PBE to encrypt birtdates, driver's license numbers and social security numbers. I need to decrypt this data from a windows application that I am writing (not in Java). I am attempting to use an ActiveX control from Chilkat to do the decryption (and encryption) in this application. I am unable to figure out how to go about the decryption and the people who wrote the portal are not all that helpful.

I believe the data in the database has the "salt" appended to the front of the encrypted data. It is supposed to be base64 encoded. I know the password used to encrypt it. The people who wrote the portal said that they think the first 8 characters of the encrypted data string is the salt. They think I need to base64 decode the data, then use the first 8 characters as the salt and the remaining data as the data to be decrypted. They think the iteration count is 1000. (Which I don't think I need to decrypt. That is only used when generating a new salt, right?) They said Jasypt uses "PBEWithMD5AndDES", which I'm thinking means MD5 hash algorithm for the salt generation and DES for the actual data encryption algorithm.

There appears to be 2 versions of PBE encryption and they can't tell me which one is being used. They don't know what the key length should be (they think it might be 128).

I've tried every combination of parameters that I can come up with but I am getting no where on this and I've spent many days on it already. Can anybody point me in the right direction?

Is there an ActiveX control available that handles this for me in the same manner that it is done in Java?

I have used the Jasypt CLI and it works for my testing but is not a viable solution for the production environment.

Thanks for your time and consideration,

Larry

Re: Database encryption and fields/columns that need to be decrypted

2009-10-10T13:37:54Z

I looked at the following article which shows how Jasypt does database encryption with Hibernate:
http://jasypt.org/hibernate3.html

Under the section "Providing the encryptor to Hibernate", there are two options": Using Spring and Without Spring. In the examples Using Spring the password for the encryptor is stored in the spring bean definition. Is that not a security hole? Where should it be stored, as an environmental variable and then read in? Security-wise, is that sufficient?

In the example Without Spring, there is no password at all. Should there be? Where should it be stored (to comply with security standards)?

To summarize, the use case I have is:

1. encrypt user passwords
2. encrypt other sensitive data, like social security numbers, names, and bank account numbers.

With regards to 2, the reason for encrypting this data ((like social security numbers, and bank account numbers) is if someone runs off with the box, he/she could not do anything with the data. This data, however would still need to be decrypted by the application so it can be used (or presented to the user). Where should this encryption/decryption key be stored? How does this work with Jasypt (the guide states that encrypted attributes/properties cannot be used as part of projection queries (SUM, MAX, ..) as this is done on the database before decryption by hibernate, and cannot also be part of an ORDER BY clause). I guess they can be used with the WHERE clause, as long as a fixed salt generator is used?

Thanks!

Database encryption and fields/columns that need to be decrypted

2009-10-10T10:45:29Z

Hello,

I'm currently investigating encrypting certain database columns, such as user passwords and other sensitive data such as usernames and social security numbers. The (java) application uses Hibernate and a MySQL database on the backend.

The use case is, username, password, and social security are stored in the database. According to the Jasypt documentation, one should never be able to decrypt the password (the code should just compare digests). That makes sense for passwords. What about for other data, like usernames and social security numbers? This is data that we'll want to encrypt in the database, but would also need to be retrieved. Where would/should the encryption key be stored (so if someone hacks through the system, they cannot decrypt this information from the database)?

Jasypt seems to handle this, but I wanted to confirm with the following, more specific questions:

1. In the application code (business logic), what will this code be working with? More specifically, as mentioned in the article below for encrypting user passwords, it says "you should not even have a way to get to read/know/see your users' passwords, no matter if you are the system administrator". I understand that for passwords, but for other data, like social security numbers or usernames, we'll want to make sure that the data stored in the database is encrypted, but that we can obtain the original data (username and social security number). How does Jasypt handle this, or more importantly, how should this be handled in the application (using Jasypt)?

http://jasypt.org/howtoencryptuserpasswords.html

2. If we use Jasypt to encrypt the database column for the user password using a one way digest method, there is no way of someone gaining access to the original password (as you explained in that article).

With regards to the usernames and passwords, these too can be encrypted in the database, but since we need to be able decrypt this information, wouldn't an encryption key need to be stored somewhere (like in the application layer)? Where should this encryption key be stored, so if someone were to hack through the system, they couldn't decrypt these fields? Or maybe there is a better way to do this?

Thanks in advance (and sorry for what could be obvious).

HMAC support

2009-10-08T23:42:09Z

Hi all

First of all thanks to you for jasypt, it indeed simplifies many of the chores on encryption for everyday usage.

In my current project one thing I need to do is to create keyed MACs or HMACs, in paticular SHA-1 HMAC as needed for example for OAuth http://oauth.net/core/1.0a

I couldn't find support for hmacs in javasypt but perhaps I'm not looking well enough. Would an hmac be the same as normal digestor with a given salt?

Regards
Carlos Quiroz

using jasypt salt and storing the salt in the db

2009-10-06T11:26:14Z

Hi -
I am currently using jasypt to encrypt my users' passwords, but am not using a salt. From what I've read, if I call passwordEncryptor.setPlainDigest(false), where passwordEncryptor is the ConfigurablePasswordEncryptor instance, a salt and iteration count will be used automatically. This sounds fine, but I also believe I will need to store the salt with the account's username and salted hash (hashed salt+password), so that users may be authenticated when they log in. I haven't seen a very clear example or explanation on how to do this. Can someone point me to a simple example on not only how to apply a salt automatically using jasypt, but going further and getting a handle to the salt so it can be stored in the db? Thank you.

Re: (no subject)

2009-09-15T18:22:45Z

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+

both any DES and any md5 are stricly meant broken and can smoothly tunnel to stronger, I heard and inform, sha or rsa are strongest (rsa you can claim copyright Euclid). integrate with maven is very convenient, build activates download:
<dependency>
<groupId>org.jasypt</groupId>
<artifactId>jasypt</artifactId>
<version>1.3</version>
<scope>compile</scope>
</dependency>
variable algorithm is very good forwardcompatible pattern, like math.h any functions returns, any function has variables and providerindependent line seems
passwordEncryptor.encryptPassword(userPassword);
thanks to all, project succeds even the likely
code disponible montao.googlecode.com
spanish m.Koolbusiness.com?hl=es

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

Re: (no subject)

2009-09-15T09:40:24Z

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+

The algorithms are provided by your JCE implementation, not jasypt. So you should query your JCE directly and see what's available for you in your providers.

Regards,
Daniel.

On Tue, Sep 15, 2009 at 6:07 PM, Mike Baranski <list-subscriptions@...> wrote:

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+

Wonderful, thanks for the help. Is there an algorithm list somewhere? I
looked for it but could not find one (even in the javadocs).

Thanks,
Mike.

>-----Original Message-----
>From: Daniel Fernández [mailto:dfernandez@...]
>Sent: Tuesday, September 15, 2009 11:40 AM
>To: Jasypt users list
>Subject: Re: [jasypt-users] (no subject)
>
>
>TripleDES is not a valid PBE algorithm.
>
>You should be using something like PBEWithMD5AndTripleDES, as is used in
>some examples in the website.
>
>Regards,
>Daniel
>
>
>
>On Tue, Sep 15, 2009 at 4:41 PM, Mike Baranski <list-
>subscriptions@...> wrote:
>
>
> +------------------------+
> Jasypt Users List
> http://www.jasypt.org
> +------------------------+
> I'm having the following problem, note that I have downloaded and
>installed
> (per the readme file) the new jars for "Strong" encryption. Can
>someone
> suggest what I might be doing wrong (I added the JAVA_HOME echo to
>the shell
> script)?
>
> [root@sirrus bin]# ./encrypt.sh input="informix"
>password="SMCsecur3"
> algorithm="TripleDES"
> Java Home: /usr/java/latest
>
> ----ENVIRONMENT-----------------
>
> Runtime: Sun Microsystems Inc. Java HotSpot(TM) Client VM
>1.6.0_02-b05
>
>
>
> ----ARGUMENTS-------------------
>
> algorithm: TripleDES
> input: informix
> password: SMCsecur3
>
>
>
> ----ERROR-----------------------
>
> java.security.spec.InvalidKeySpecException: Inappropriate key
>specification
>
>
> ------------------------------------------------------------------
>------------
> Come build with us! The BlackBerry® Developer Conference in
>SF, CA
> is the only developer event you need to attend this year.
>Jumpstart your
> developing skills, take BlackBerry mobile applications to market
>and stay
> ahead of the curve. Join us from November 9-12, 2009. Register
>now!
> http://p.sf.net/sfu/devconf
> _______________________________________________
> jasypt-users mailing list
> jasypt-users@...
> https://lists.sourceforge.net/lists/listinfo/jasypt-users
>
>

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

Re: (no subject)

2009-09-15T09:07:32Z

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+
Wonderful, thanks for the help. Is there an algorithm list somewhere? I
looked for it but could not find one (even in the javadocs).

Thanks,
Mike.

>-----Original Message-----
>From: Daniel Fernández [mailto:dfernandez@...]
>Sent: Tuesday, September 15, 2009 11:40 AM
>To: Jasypt users list
>Subject: Re: [jasypt-users] (no subject)
>
>
>TripleDES is not a valid PBE algorithm.
>
>You should be using something like PBEWithMD5AndTripleDES, as is used in
>some examples in the website.
>
>Regards,
>Daniel
>
>
>
>On Tue, Sep 15, 2009 at 4:41 PM, Mike Baranski <list-
>subscriptions@...> wrote:
>
>
> +------------------------+
> Jasypt Users List
> http://www.jasypt.org
> +------------------------+
> I'm having the following problem, note that I have downloaded and
>installed
> (per the readme file) the new jars for "Strong" encryption. Can
>someone
> suggest what I might be doing wrong (I added the JAVA_HOME echo to
>the shell
> script)?
>
> [root@sirrus bin]# ./encrypt.sh input="informix"
>password="SMCsecur3"
> algorithm="TripleDES"
> Java Home: /usr/java/latest
>
> ----ENVIRONMENT-----------------
>
> Runtime: Sun Microsystems Inc. Java HotSpot(TM) Client VM
>1.6.0_02-b05
>
>
>
> ----ARGUMENTS-------------------
>
> algorithm: TripleDES
> input: informix
> password: SMCsecur3
>
>
>
> ----ERROR-----------------------
>
> java.security.spec.InvalidKeySpecException: Inappropriate key
>specification
>
>
> ------------------------------------------------------------------
>------------
> Come build with us! The BlackBerry® Developer Conference in
>SF, CA
> is the only developer event you need to attend this year.
>Jumpstart your
> developing skills, take BlackBerry mobile applications to market
>and stay
> ahead of the curve. Join us from November 9-12, 2009. Register
>now!
> http://p.sf.net/sfu/devconf
> _______________________________________________
> jasypt-users mailing list
> jasypt-users@...
> https://lists.sourceforge.net/lists/listinfo/jasypt-users
>
>

Re: (no subject)

2009-09-15T08:39:45Z

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+

TripleDES is not a valid PBE algorithm.

You should be using something like PBEWithMD5AndTripleDES, as is used in some examples in the website.

Regards,
Daniel

On Tue, Sep 15, 2009 at 4:41 PM, Mike Baranski <list-subscriptions@...> wrote:

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+
I'm having the following problem, note that I have downloaded and installed
(per the readme file) the new jars for "Strong" encryption. Can someone
suggest what I might be doing wrong (I added the JAVA_HOME echo to the shell
script)?

[root@sirrus bin]# ./encrypt.sh input="informix" password="SMCsecur3"
algorithm="TripleDES"
Java Home: /usr/java/latest

----ENVIRONMENT-----------------

Runtime: Sun Microsystems Inc. Java HotSpot(TM) Client VM 1.6.0_02-b05

----ARGUMENTS-------------------

algorithm: TripleDES
input: informix
password: SMCsecur3

----ERROR-----------------------

java.security.spec.InvalidKeySpecException: Inappropriate key specification

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

(no subject)

2009-09-15T07:41:31Z

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+
I'm having the following problem, note that I have downloaded and installed
(per the readme file) the new jars for "Strong" encryption. Can someone
suggest what I might be doing wrong (I added the JAVA_HOME echo to the shell
script)?

[root@sirrus bin]# ./encrypt.sh input="informix" password="SMCsecur3"
algorithm="TripleDES"
Java Home: /usr/java/latest

----ENVIRONMENT-----------------

Runtime: Sun Microsystems Inc. Java HotSpot(TM) Client VM 1.6.0_02-b05

----ARGUMENTS-------------------

algorithm: TripleDES
input: informix
password: SMCsecur3

----ERROR-----------------------

java.security.spec.InvalidKeySpecException: Inappropriate key specification

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

Jasypt used with Java binding in eXist

2009-09-11T02:28:40Z

Hi,

I am using Jasypt with Java binding in eXist. The script is:

declare namespace criptare = "java:org.jasypt.encryption.pbe.StandardPBEStringEncryptor";

let $constructorCriptare := criptare:new()

let $adaugareParola := criptare:setPassword($constructorCriptare, 'password')

let $textDeCriptat := 'text for encryption'

return criptare:encrypt($constructorCriptare, 'text for encryption')

But I got the following error:
exception while calling constructor public org.jasypt.encryption.pbe.StandardPBEStringEncryptor(): null

What do you think?

Thanks,
Claudius

Running on AS400 Java1.4 - Jasypt - ExceptionInInitializerError

2009-09-08T09:07:07Z

Hi I have put together a small text encryption test and it runs OK on my PC.

When I export the same to my AS400 I get the following.

org.jasypt.exceptions.EncryptionInitializationException: java.lang.ExceptionInInitializerError
at java.lang.Throwable.<init>(Throwable.java:180)
at java.lang.Exception.<init>(Exception.java:29)
at java.lang.RuntimeException.<init>(RuntimeException.java:32)
at org.apache.commons.lang.exception.NestableRuntimeException.<init>(NestableRuntimeException.java:73)
at org.jasypt.exceptions.EncryptionInitializationException.<init>(EncryptionInitializationException.java:43)
at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.initialize(StandardPBEByteEncryptor.java:466)
at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.initialize(StandardPBEStringEncryptor.java:466)
at com.sdip.adkcm.EncryptTest.main(EncryptTest.java:11)
Caused by: java.lang.ExceptionInInitializerError
at java.lang.Throwable.<init>(Throwable.java:180)
at java.lang.Error.<init>(Error.java:37)
at java.lang.ExceptionInInitializerError.<init>(ExceptionInInitializerError.java:61)
at javax.crypto.SecretKeyFactory.getInstance(Unknown Source)
... 3 more
Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
at java.lang.Throwable.<init>(Throwable.java:195)
at java.lang.Exception.<init>(Exception.java:41)
at java.lang.RuntimeException.<init>(RuntimeException.java:43)
at java.lang.SecurityException.<init>(SecurityException.java:32)
at javax.crypto.b.<clinit>(Unknown Source)
... 4 more
Caused by: java.lang.SecurityException: Cannot locate policy or framework files!
at java.lang.Throwable.<init>(Throwable.java:195)
at java.lang.Exception.<init>(Exception.java:41)
at java.lang.RuntimeException.<init>(RuntimeException.java:43)
at java.lang.SecurityException.<init>(SecurityException.java:32)
at javax.crypto.b.a(Unknown Source)
at javax.crypto.b.g(Unknown Source)
at javax.crypto.b£0.run(Unknown Source)
... 5 more

Did I miss something - my env on the as400 is the same as the PC..

Thanks

Kev

Re: Encryption using command line

2009-08-30T06:02:58Z

Solved by installing java 1.6.

claud108 wrote:

Hi,

I was using the command
./encrypt.sh input="This is my message to be encrypted" password=MYPAS_WORD

but I get the error
----ERROR-----------------------

java.lang.NoClassDefFoundError: com.ibm.icu.text.Normalizer

I use debian lenny

Thanks,
Claudius

[SOLVED] Encryption using command line

2009-08-11T10:46:04Z

Hi,

I was using the command
./encrypt.sh input="This is my message to be encrypted" password=MYPAS_WORD

but I get the error
----ERROR-----------------------

java.lang.NoClassDefFoundError: com.ibm.icu.text.Normalizer

I use debian lenny

Thanks,
Claudius

Exception in unit test

2009-08-11T07:54:31Z

Hi

I am a newbee to Jasypt, and want to use Jasypt with Spring + Hibernate.

My configuration fails for some reasoun i can not figure out.

Here is my config:

applicationContext-hibernate.xml
<bean id="strongEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
<property name="algorithm">
<value>PBEWithMD5AndTripleDES</value>
</property>
<property name="password">
<value>jasypt</value>
</property>
</bean>

<bean id="hibernateStringEncryptor" class="org.jasypt.hibernate.encryptor.HibernatePBEStringEncryptor">
<property name="registeredName">
<value>strongHibernateStringEncryptor</value>
</property>
<property name="encryptor">
<ref bean="strongEncryptor" />
</property>

My User.java file:

@Entity
@Table(name = "user_t")
@TypeDef(name = "encryptedPassword", typeClass = EncryptedStringType.class, parameters = { @Parameter(name = "encryptorRegisteredName", value = "myHibernateStringEncryptor") })
public class User extends BaseObject {
...
@Type(type = "encryptedPassword")
@Column(name = "password", nullable = false, length = 100, unique = false)
private String password;
...}

I have added jasypt.jar + jasypt-hibernate.jar to the classpath(using maven).

I also added the icu4j.jar to the classpath due to error when running.

I am trying to get a user from the database by unit test, without having special
configuration loading the jasypt spring beans.

Also i am not sure if i need a environment variable with a password with the given setup i have.

I have tried searching and googling the error without any help

But running the unit test gives me this error:
org.jasypt.exceptions.EncryptionOperationNotPossibleException
at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:742)
at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:639)
at org.jasypt.hibernate.type.AbstractEncryptedAsStringType.nullSafeGet(AbstractEncryptedAsStringType.java:144)
at org.hibernate.type.CustomType.nullSafeGet(CustomType.java:105)
at org.hibernate.type.AbstractType.hydrate(AbstractType.java:81)
at org.hibernate.persister.entity.AbstractEntityPersister.hydrate(AbstractEntityPersister.java:2092)
at org.hibernate.loader.Loader.loadFromResultSet(Loader.java:1371)
at org.hibernate.loader.Loader.instanceNotYetLoaded(Loader.java:1299)
at org.hibernate.loader.Loader.getRow(Loader.java:1197)
at org.hibernate.loader.Loader.getRowFromResultSet(Loader.java:568)
at org.hibernate.loader.Loader.doQuery(Loader.java:689)
at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:224)
at org.hibernate.loader.Loader.doList(Loader.java:2211)
at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2095)
at org.hibernate.loader.Loader.list(Loader.java:2090)
at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:375)
at org.hibernate.hql.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:338)
at org.hibernate.engine.query.HQLQueryPlan.performList(HQLQueryPlan.java:172)
at org.hibernate.impl.SessionImpl.list(SessionImpl.java:1121)
at org.hibernate.impl.QueryImpl.list(QueryImpl.java:79)
at org.springframework.orm.hibernate3.HibernateTemplate$30.doInHibernate(HibernateTemplate.java:926)
at org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:419)
at org.springframework.orm.hibernate3.HibernateTemplate.executeWithNativeSession(HibernateTemplate.java:374)
at org.springframework.orm.hibernate3.HibernateTemplate.find(HibernateTemplate.java:917)
at org.appfuse.dao.hibernate.UserDaoHibernate.getByUserName(UserDaoHibernate.java:72)
at org.appfuse.dao.BaseDaoTestCase.onSetUp(BaseDaoTestCase.java:113)
at org.springframework.test.AbstractSingleSpringContextTests.setUp(AbstractSingleSpringContextTests.java:103)
at junit.framework.TestCase.runBare(TestCase.java:132)
at org.springframework.test.ConditionalTestCase.runBare(ConditionalTestCase.java:76)
at junit.framework.TestResult$1.protect(TestResult.java:110)
at junit.framework.TestResult.runProtected(TestResult.java:128)
at junit.framework.TestResult.run(TestResult.java:113)
at junit.framework.TestCase.run(TestCase.java:124)
at junit.framework.TestSuite.runTest(TestSuite.java:232)
at junit.framework.TestSuite.run(TestSuite.java:227)
at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:45)
at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:460)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:673)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:386)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)

Hope someone has an explanation...

Best Regards
Cem

Help : My data is not being encrypted

2009-08-10T00:10:41Z

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+

Hi.

I have posted a topic, but now joined the mailing list, so am reposting it. I am trying to decrypt data in a MySQL database in a JBoss Seam and JSF application. What has been done thus far. I added the following jars in the application.xl file
lib/jasypt-1.5.jar
lib/commons-lang-2.1.jar
lib/commons-codec-1.3.jar
lib/icu4j-3.4.4.jar

The initializer class has also been added to the start up. The code as follows :

import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
import org.jasypt.encryption.pbe.config.EnvironmentPBEConfig;
import org.jasypt.hibernate.encryptor.HibernatePBEEncryptorRegistry;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Observer;
import org.jboss.seam.log.Log;

@Name("initializer")
public class Initializer {

    @Logger Log log;

     @Observer("org.jboss.seam.postInitialization")
     public void initializeJasypt() {
     try {
             log.info("Initializing Jasypt String Encryptor");
             StandardPBEStringEncryptor strongEncryptor =
                 new StandardPBEStringEncryptor();
             EnvironmentPBEConfig config = new EnvironmentPBEConfig();
             config.setPasswordEnvName("jasypt_password");
             strongEncryptor.setConfig(config);
             HibernatePBEEncryptorRegistry registry =
                 HibernatePBEEncryptorRegistry.getInstance();
             registry.registerPBEStringEncryptor("myHibernateStringEncryptor", strongEncryptor);
     } catch (Exception e) {
        e.printStackTrace();
    }

        }
}

And in my entity, just to test, I have done on one field (usually the requirement would be to encrypt the whole database)

@TypeDef(
        name="encryptedString",
        typeClass=EncryptedStringType.class,
        parameters={@Parameter(name="encryptorRegisteredName",
                               value="myHibernateStringEncryptor")}
    )

@NotNull(message="Name is required")
    @Length(min=2, max=45, message="Name must be 2 to 45 characters long")
    @Column(name="name")
    @Type(type="encryptedString")
    public String getName() {
        return name;
    }

I put the following in the run.sh of jboss.
# export jasypt_password="mysecretpassword"

since I am starting jboss up using the eclipse "Server".

I have deleted all the data in the entity mentioned above. When I create the entry in the database, the field is not encrypted.

any help with this would be highly appreciated.

Thanks

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

How to search on encrypted field if encrypted using fixed salt generator

2009-07-29T17:32:12Z

hi everyone,

i've seen postings saying that the only way you can search on an encrypted field is if you use a fixed salt generator. i've configured everything correctly (as far as i can tell) using jayspt and hibernate. i've confirmed that i can create records with the encrypted field and believe that the fixed salt generator is working because i created multiple records with the same value and the encrypted string value is the same.

my problem is searching via the hibernate query language. i tried searching on using the unencrypted value and keep getting 0 results. so my question is, now that i've used the fixed salt generator, what does my hibernate query have to look like in order to search on the encrypted field??

thanks
-s

Re: Password length with BouncyCastle AES

2009-07-26T03:21:16Z

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+
subversion wrote:

> +------------------------+
> Jasypt Users List
> http://www.jasypt.org
> +------------------------+
>
> I have same problem too. System was complaining that the java virtual machine
> does not have unlimited JCE policy but I do have installed the policy.
>
> Any clue?
>
>
>

I remember many years ago while I was using BouncyCastle that you needed
to edit the policy file found in your $JAVA_HOME folder and set the
policy to be "unlimited". I am sure you can find more information on
exactly how you can do this by googling abit. I cannot remember from the
top of my head.

Shervin

------------------------------------------------------------------------------
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

Re: Password length with BouncyCastle AES

2009-07-24T10:29:23Z

I have same problem too. System was complaining that the java virtual machine does not have unlimited JCE policy but I do have installed the policy.

Any clue?

MakkaPakka wrote:

I'm trying to use Jasypt with Bouncy Castle AES and want to clarify what size password I should/can use.

I've looked at StandardPBEByteEncyptor and it does PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password.toCharArray()) so I would assume I can use any length password.

However, anything greater than 7 chars doesn't work.

Here's the tester code.....

private static final void determinePasswordLength() {
Security.addProvider(new BouncyCastleProvider());
final StringBuilder sb = new StringBuilder();
for (int i = 0; i < 1000; ++i) {
sb.append(i);
final StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setAlgorithm("PBEWITHSHA256AND128BITAES-CBC-BC");
encryptor.setPassword(sb.toString());
try {
encryptor.encrypt("stuff");
System.out.println(sb + " works");
} catch (final EncryptionOperationNotPossibleException e) {
// System.out.println(sb + " fails");
}
}
}

So I'm guessing there's something I don't understand somewhere, is it to do with the use of SHA? I've tried SHA and SHA256 and I still get the same result.

More importantly, how secure is this? I would generally expect to be able to use longer passwords so as to increase the entropy.

Thanks for any help you can give.

Re: hibernate and jasypt: password is saved?

2009-07-23T08:47:40Z

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+
Hi,

There are several options:
- provide encryption pwd in properties file (readable for all)
- provide encryption pwd as system property: than you have it somewhere in the start scripts of your application, again readable for all
- provide encryption pwd in class file: You may think of providing an implementation of org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig
- provide encryption pwd in java keystore: not perfect but pretty good choice
- manual input on startup: probably most secure but than you cannot start your app server automatically

What to do is an endless debate and depends strongly on your requirenments - as allways. See for example this page (http://www.j2eegeek.com/blog/2005/08/22/are-clear-text-passwords-better-than-2-way-encrypted-passwords/) for a snipet of this discussion.

Hope this helps

Greetings Wolf

-----Ursprüngliche Nachricht-----
Von: GhostPa [mailto:peppe.fabio@...]
Gesendet: Donnerstag, 23. Juli 2009 15:53
An: jasypt-users@...
Betreff: [jasypt-users] hibernate and jasypt: password is saved?

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+

Hi All,
I am newbie of jasypt.
I Have a question.
It 's need to store password used for crypting method in my web application
or user juat insert password in runtime?
Thanks all.
--
View this message in context: http://www.nabble.com/hibernate-and-jasypt%3A-password-is-saved--tp24626193s21332p24626193.html
Sent from the Jasypt - Users mailing list archive at Nabble.com.

------------------------------------------------------------------------------
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

------------------------------------------------------------------------------
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

Re: data recovery if password lost

2009-07-23T08:36:31Z

Yes, you do if you can hack password or if you are using weak algorithm e.g. DES.

GhostPa wrote:

Hi All,
if user lost password for crypt It's possible to recovery data?

Re: hibernate and jasypt: password is saved?

2009-07-23T08:34:47Z

Good question. You have to provide a password anyway in your application, either hardcode in the app source or read from a keystore protected by another password.

How to make passwork to keystore safe is another question.

GhostPa wrote:

Hi All,
I am newbie of jasypt.
I Have a question.
It 's need to store password used for crypting method in my web application or user juat insert password in runtime?
Thanks all.

Re: hibernate and jasypt: password is saved?

2009-07-23T08:34:21Z

GhostPa wrote:

Hi All,
I am newbie of jasypt.
I Have a question.
It 's need to store password used for crypting method in my web application or user juat insert password in runtime?
Thanks all.

hibernate and jasypt: password is saved?

2009-07-23T06:52:33Z

Hi All,
I am newbie of jasypt.
I Have a question.
It 's need to store password used for crypting method in my web application or user juat insert password in runtime?
Thanks all.

data recovery if password lost

2009-07-23T06:50:08Z

Hi All,
if user lost password for crypt It's possible to recovery data?

CLI encryption using FixedStringSaltGenerator

2009-07-17T11:06:41Z

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+

Hi all,

I've decided to use the FixedStringSaltGenerator for my encryptor but I have preexisting data in the columns to be encrypted. I was going to encrypt that data via the command line (like I had done previously, with the default salt generator) but I can't seem to get the sytax correct. Below is the data from my command window:

-----------------------------

C:\dev\jasypt-1.5\bin> encrypt input=mydatatoencrypt password=mypassword verbose=true algorithm=PBEWithMD5AndDES keyObtentionIterations=1000 saltGeneratorClassName=org.jasypt.salt.FixedStringSaltGenerator

----ENVIRONMENT-----------------

Runtime: Sun Microsystems Inc. Java HotSpot(TM) Client VM 14.0-b16

----ARGUMENTS-------------------

verbose: true
algorithm: PBEWithMD5AndDES
input: mydatatoencrypt
password: mypassword
keyObtentionIterations: 1000
saltGeneratorClassName: org.jasypt.salt.FixedStringSaltGenerator

----ERROR-----------------------

Operation not possible (Bad input or parameters)

-----------------------------

I believe I probably have to set the salt value for the fixed string salt generator, but I'm not sure how to specify this on the command line. Can anybody help? Thanks in advance.

NCI is a company dedicated to trust, integrity, and performance.

If you have received this message in error, please contact the sender immediately and be aware that the use, copying, or dissemination of this information is prohibited. This email transmission contains information from NCI Information Systems, Inc. that may be considered privileged or confidential and is intended solely for the named recipient.

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

Re: StrongTextEncryptor throws EncryptionNotPossibleException

2009-07-16T00:46:23Z

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+
To my knowledge you need the JCE for unlimeted encryption strength.

Regards
wolf

-----Ursprüngliche Nachricht-----
Von: TNS [mailto:tsubramaniam@...]
Gesendet: Mittwoch, 8. Juli 2009 18:02
An: jasypt-users@...
Betreff: [jasypt-users] StrongTextEncryptor throws EncryptionNotPossibleException

+------------------------+
Jasypt Users List
http://www.jasypt.org
+------------------------+

I am using StrongTextEncryptor and it throws a
EncryptionNotPossibleException. It works with BasicTextEncryptor. I am using
the default JCE with JDK 1.4.2. Is PBEwithMD5andTripleDES not supported by
the default JCE? Would appreciate a clarification. Thanks in advance.
--
View this message in context: http://www.nabble.com/StrongTextEncryptor-throws-EncryptionNotPossibleException-tp24393264s21332p24393264.html
Sent from the Jasypt - Users mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
jasypt-users mailing list
jasypt-users@...
https://lists.sourceforge.net/lists/listinfo/jasypt-users

Re: BasicTextEncryptor() pattern develops in resulting strings after many encryptions, even from different instances

2009-07-15T15:27:50Z

Note that if I slow the loop down and sleep 100ms between each call to encrypt(), this pattern goes away, leading me to believe something internally is based on the current time? Please explain, is this still fairly secure to use?

borfnorton wrote:

If you can run the above, the output towards the end of your console will have data that looks something like this: See the pattern per iteration? Each "block of 3" encryptions per unique password starts to develop the same prefix of characters. Why is this? Is it still secure, should we use something else?

qHzOB11vmOSjj/diZRM73A==
qHzOB11vmOT1iZkYh4wPrQ==
qHzOB11vmOSoB+YmwPXdJA==
QrqvW2s9ZEAN/GGWyrgmVQ==
QrqvW2s9ZECfLddQ3mgD2g==
QrqvW2s9ZEBD04lhsuYQTw==
8La/KX1jNIR3nV6n+Lo72g==
8La/KX1jNITaEQvP2bdHkA==
8La/KX1jNIQRIVE9LglYwg==