Java - encrypt / decrypt user name and password from a configuration file

Question

We are busy developing a Java web service for a client. There are two possible choices:

• Store the encrypted user name / password on the web service client. Read from a config. file on the client side, decrypt and send.

• Store the encrypted user name / password on the web server. Read from a config. file on the web server, decrypt and use in the web service.

The user name / password is used by the web service to access a third-party application.

The client already has classes that provide this functionality but this approach involves sending the user name / password in the clear (albeit within the intranet). They would prefer storing the info. within the web service but don't really want to pay for something they already have. (Security is not a big consideration because it's only within their intranet).

So we need something quick and easy in Java.

Any recommendations?

The server is Tomkat 5.5. The web service is Axis2.

• What encrypt / decrypt package should we use?
• What about a key store?
• What configuration mechanism should we use?
• Will this be easy to deploy?

Answer 1

As I understand anyhow in order to call 3rd party web service you pass password as plain text and no security certificates are involved.

Then I would say the easiest approach would be to store password in encrypted format (via java encryption mechanism) when the encryption/decryption key is just hard coded in the code.

I would definitely store it on the server side (file system or db) rather then distribute and maintain it on the multiple clients.

Here is how that could work with "DES" encryption:

// only the first 8 Bytes of the constructor argument are used 
// as material for generating the keySpec
DESKeySpec keySpec = new DESKeySpec("YourSecr".getBytes("UTF8")); 
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
SecretKey key = keyFactory.generateSecret(keySpec);
sun.misc.BASE64Encoder base64encoder = new BASE64Encoder();
sun.misc.BASE64Decoder base64decoder = new BASE64Decoder();
.........

// ENCODE plainTextPassword String
byte[] cleartext = plainTextPassword.getBytes("UTF8");      

Cipher cipher = Cipher.getInstance("DES"); // cipher is not thread safe
cipher.init(Cipher.ENCRYPT_MODE, key);
String encrypedPwd = base64encoder.encode(cipher.doFinal(cleartext));
// now you can store it 
......

// DECODE encryptedPwd String
byte[] encrypedPwdBytes = base64decoder.decodeBuffer(encryptedPwd);

Cipher cipher = Cipher.getInstance("DES");// cipher is not thread safe
cipher.init(Cipher.DECRYPT_MODE, key);
byte[] plainTextPwdBytes = (cipher.doFinal(encrypedPwdBytes));