3

I already asked this question at StackOverflow here: https://stackoverflow.com/questions/4970681/blackberry-app-security and was directed to this site, can anyone pitch in as to how I can solve this issue?

Users log in to my BlackBerry app with a username and password provided at registration. My app connects to a Java Web Service that does all the logic.

  • How do I go about storing the password and username in a safe manner on my server? Everybody says salting and hashing, but I have no idea how to do this since I've never worked with it. How can I do this in Java?
  • How do I manage sending the password securely from the app to the server?
Community
  • 1
8vius
  • 133
  • 3
  • I modified the title, to make the focus of the question clearer. It's likely that it wasn't being read because of "Blackberry"... and it's really a question about the Java WS. – AviD Feb 15 '11 at 06:31
  • And how do you securely store the password on the BlackBerry? – nealmcb Feb 15 '11 at 17:27

2 Answers2

3

There is a good explanation of this on the OWASP website, see the page Hashing Java.
It explains some of the details about the use of hashes and why to add a salt, it also contain code examples. This may be a good point for you to start from.

As for securing sending the passwords from the app using HTTPS instead of HTTP if your not already would be a good start.

Mark Davidson
  • 9,367
  • 6
  • 43
  • 61
3

I'm surprised we haven't found a widely adopted standard implementation of this for Java. It is such an important topic, and crypto code can be very tricky to get right and keep updated against the ever-improving attacks out there.

I'm glad to see that as of Java 6 there is an implementation of PBKDF2: PBKDF2WithHmacSHA1 in SunJCE. See also the discussion of using the PBKDF2 standard (not PBKDF1) in a recent PBKDF1 question. And as discussed in the answers to your question at StackOverflow, for earlier versions of Java, an implementation of that is at A free Java implementation of RFC 2898 / PKCS#5 PBKDF2

There is also a Java answer (use jBCrypt - strong password hashing for Java), and some helpful discussion of the general issues for password hashing, at Reference implementation of C# password hashing and verification - IT Security.

The OWASP sample code referred to in another answer does not seem as carefully described or vetted as I would hope, but I haven't compared it with the others.

Community
  • 1
nealmcb
  • 20,544
  • 6
  • 69
  • 116
  • There is also apache commons libraries and classes org.apache.commons.codec.digest.DigestUtils org.apache.commons.lang.RandomStringUtils that have hashing methods for several formats and are easy to use and also allow for the creation of salts. – 8vius Feb 15 '11 at 20:51