How to apply password encryption with Spring Security?

Question

I recently started working on adding security in an existing web application. The application uses jcryption to encrypt the hashed password before sending it to server and then at server side we do the decryption to get the hashed value and than this hashed value is compared with the db password field(MD5 hashed value). That way we can handle "Man in the middle attacks". The setup worked fine till I introduced Spring Security layer in the application (Spring Security 3.2.7 with Java configuration) now I have problem in encryption part and I really have no idea how to proceed.

Everything else is working and I have used Md5PasswordEncoder for hashing the passwords. The problem is username and passwords are being sent in plain text. I can't understand how can I encrypt the password before sending it over the network. How can I apply AES encryption/decryption of username/ password field along with Spring security architecture ?

Please understand I am already using MD5 hashing in my application and I want an encryption layer above it. One more thing since it is a legacy application I can't force everyone to use HTTPS, https is enabled but that is not mandatory for all. I am more concerned about people who will be accessing the application using plain old http.

Answer 1

You can write your own PasswordEncoder with spring security but first you need to AES encrypt / decryption code , here is example :

 public static String encrypt(String value) {

    if(value == null){
        return value;
    }
    // SALT is your secret key
    Key key = new SecretKeySpec(SALT.getBytes(), "AES");
    try {

        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, key);
        return Base64.encodeBase64String(cipher.doFinal(value.getBytes()));
    } catch (Exception exception) {
        throw new RuntimeException(exception);
    }
}

   public static String decrypt(String value) {

    if(value == null){
        return value;
    }
    // SALT is your secret key
    Key key = new SecretKeySpec(SALT.getBytes(), "AES");
    try {
        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        cipher.init(Cipher.DECRYPT_MODE, key);
        return new String(cipher.doFinal(Base64.decodeBase64(value)));
    } catch (Exception exception) {
        throw new RuntimeException(exception);
    }
}

Then we can use these utility methods with PasswordEncoder by the way you don't need to decrypt user password while authentication,it's not safe, you must encode password and then compare encoded passwords. (you must save user passwords encoded in database) Here is example:

public class CustomUserPasswordEncoder implements PasswordEncoder {

public String encode(CharSequence rawPassword) {
    return encrypt(rawPassword.toString());
}

public boolean matches(CharSequence rawPassword, String encodedPassword) {
    if (!StringUtils.isBlank(rawPassword) && encode(rawPassword).equals(encodedPassword)) {
        return true;
    }
    return false;
}

}

Now, we can set spring security password encoder like this:

 passwordEncoder(new CustomUserPasswordEncoder());

Answer 2

1. You need to use HTTPS to send your users' passwords over the internet.

   Seriously, your users can/will sue you if you don't do this. LinkedIn recently gave up a few million dollars for not taking due care with their users' passwords.

   LetsEncrypt is free and widely used.

2. Doing encryption without HTTPS or hashing on the client is wrong and bad. Hash on the server only.

3. MD5 is the worst possible hashing method. Again, you might get sued.

   Only use the following: bcrypt, scrypt, PBKDF-2

   Spring has a built-in bcrypt password encoder.