0

I am decrypting a password from an oracle database, for a login page, to verify username and password. Its a simple JSP Page: 

<HTML>
<BODY>

<%
    Class.forName("oracle.jdbc.OracleDriver");

        Connection conn =     DriverManager.getConnection("jdbc:oracle:thin:@xxx:xxxx:xxxx","i----r","i-----r");
                        // @//machineName:port:SID,   userid,  password

    Statement st=conn.createStatement();

    ResultSet rs=st.executeQuery("Select * from xxxxxxx");

    //Just testing now, for decryption

    String algorithm1 = "DES";//magical mystery constant
    String algorithm2 = "DES/CBC/NoPadding";//magical mystery constant
    IvParameterSpec iv = new IvParameterSpec( new byte [] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } );//magical mystery constant
    Cipher cipher;
    SecretKey key;
    String k="12345abc";
    key = new SecretKeySpec( k.getBytes( ), algorithm1 );
    cipher = Cipher.getInstance( algorithm2 );

    String str="test1234abc";

    cipher.init( Cipher.ENCRYPT_MODE, key, iv ); //normally you could leave out the IvParameterSpec argument, but not with Oracle

    byte[] bytes=str.getBytes("UTF-8");

    byte[] encrypted = cipher.doFinal( bytes );


%>
</BODY>
</HTML>

The problem I am facing is that everything is working correctly, but the last line of code byte[] encrypted = cipher.doFinal( bytes ); gives me an error : 

javax.crypto.IllegalBlockSizeException: Input length not multiple of 8 bytes
at com.sun.crypto.provider.SunJCE_h.a(DashoA6275)
at com.sun.crypto.provider.SunJCE_h.b(DashoA6275)
at com.sun.crypto.provider.SunJCE_h.b(DashoA6275)
at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA6275)
at javax.crypto.Cipher.doFinal(DashoA6275)
at _check1._jspService(_check1.java:83) [SRC:/check1.jsp:45]
at com.orionserver[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].http.OrionHttpJspPage.service(OrionHttpJspPage.java:56)
at oracle.jsp.runtimev2.JspPageTable.compileAndServe(JspPageTable.java:569)
at oracle.jsp.runtimev2.JspPageTable.service(JspPageTable.java:305)
at oracle.jsp.runtimev2.JspServlet.internalService(JspServlet.java:509)
at oracle.jsp.runtimev2.JspServlet.service(JspServlet.java:413)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:824)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].server.http.HttpRequestHandler.run(HttpRequestHandler.java:285)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].server.http.HttpRequestHandler.run(HttpRequestHandler.java:126)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)

What might be causing this and how do I resolve it?

Improve this question
4
  • 3
    For password verification, I strongly recommend against using encryption/decryption. Instead, use a cryptographic hash-function and a sufficiently long salt. Then compared to hashed values to verify the password. Commented Jul 9, 2012 at 10:31
  • I am not using this method, the company i am working for is using it. I just have to develop a jsp page which allows me to login by getting password from this database where password is already stored. Then this jsp page will redirect to a Oracle Form. Can u please correct this code? Commented Jul 9, 2012 at 10:43
  • If the system already exists, then you need to get some more information from those people that have created it. DES requires a data size that is a multiple of 8 bytes. So if the encryption doesn't do any padding, then you'll need to find out how the existing system comes up with multiples of 8 byte. Furthmore, make sure you're using exactly the same parameters for creating the key, for encrypting the password, for the initialization vector and for converting character based data into binary data (is it really UTF-8?). Commented Jul 9, 2012 at 11:45
  • Ok I got the answer to my query... I am using a 8byte encryption. So Passwords must be in multiple of 8 characters. So the problem is solved by putting a check on the login page that passwords must be in multiple of 8 characters. Commented Jul 10, 2012 at 3:16

2 Answers 2

Reset to default
1

The error message is helpful for once: pad your input string to a multiple of 8 bytes.

Either use Arrays.copyOf(byte[], int) or for earlier versions: 

byte[] bytes=str.getBytes("UTF-8");

byte[] bytesPadded = 
   (str
    + new String(new byte[(8  - bytes.length % 8) % 8])
   ).getBytes();

byte[] encrypted = cipher.doFinal( bytesPadded );
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

But HOW?? I tried many ways. but not working. Please if you'll guide me it would be helpful, as i am completely new to ORACLE and JSP both.
Your string is 11 characters long and 11 bytes long in UTF-8. But with your current settings, it needs to be a multiple of 8 bytes. The problems have nothing to do with ORACLE or JSP. It's about the basics and proper use of security technologies. Don't just change your code without understanding in detail what it does. You would just create an unsecure application that will be hacked sooner or later.
But this whole application is created previously by the company, I just have to run the query to check the password which is stored in database already .. with the provided password on login page. Inshort i cant change anything in the application or encryption or whatsoever. i just have to decrypt it by anyway to check for the password.
0

Ok I got the answer to my query... I am using a 8byte encryption. So Passwords must be in multiple of 8 characters. So the problem is solved by putting a check on the login page that passwords must be in multiple of 8 characters.

Improve this answer

2 Comments

By the way my supervisor is asking me to give some suggestion, how to improve this . As we are using Oracle Application server. and all the usernames and password to login are saved in a particular table of Oracle database. so which encryption should we use?
Don't use encryption. Use (cryptographically strong) hashing such as SHA-1. And don't forget the salt.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.