Please also look at Apache Shiro, it provides very nice wrappers around JCE and
incorporates crypto best practices.
Regards Malcolm Edgar
Sent from my iPad
On 06/10/2012, at 1:20 AM, Mike Kienenberger <mkien...@gmail.com> wrote:
> I have always done my encryption at the application level.
>
> I think there are a number of reasons why this makes the most sense.
>
> Here are some tips from my past experience:
>
> 1) clump multiple kinds of data together, and/or randomly add data.
> Encrypting a single field value by itself generally doesn't provide
> enough variation to be secure.
>
> For example, rather than encrypting a credit card number in one place
> and an expiration date in another, encrypt all logical fields into one
> physical field. I actually go a step further and encrypt all
> credit-card-related sensitive information which yields a long string.
> You can then randomly add data to the beginning, end, and middle of
> your data string to further secure it either before encrypting, after
> encrypting, or both.
>
> 2) Prefix your encrypted data string with versioning information.
> At some point, you are going to need to change your encryption. It's
> a lot easier to do this, if which algorithm to use is part of the
> data. You can then provide backwards compatibility for older data
> until such time, if ever, that you re-encrypt it using a newer
> algorithm. You might need to do this because of a defect in your
> algorithm, because you've added new data fields, or because you need
> to replace your encryption key.
>
> 3) Remember that encrypted fields cannot be searched or sorted in the
> database, and that providing a search index of any kind will weaken
> your encryption. This is the tradeoff of encrypting data.
>
> 4) Remember to only work with the decrypted data as character arrays,
> not as Strings, once you've pulled it out, to avoid it sticking around
> in memory.
>
> Here's a broad overview of the important methods you'd want to
> implement. It will take some work to provide your own implementation,
> and for obvious reasons, I will not provide mine, but it will give you
> a very flexible system when you are finished.
> package utilities.encryption;
>
> public class DataBlockEncryptionManager {
> protected String findVersion(String encryptedData)
> throws EncryptionException
> {
> }
>
> /**
> * Find and decrypt item in encrypted data block.
> *
> * @param encryptedData
> * @param itemIndex from 0 to last item
> * @return char array containing decrypted item, may be null if no
> data in block.
> * @throws EncryptionException
> */
> public char[] decryptDataBlock(String encryptedData, int itemIndex)
> throws EncryptionException
> {
> }
>
> /**
> * encrypt item in encrypted data block.
> *
> * @param encryptedData String containing previous encrypted block,
> null to create new block
> * @param itemIndex from 0 to last item of item to encrypt
> * @param newValue to add to block
> * @return String containing encrypted block
> * @throws EncryptionException
> */
> public String encryptDataBlock(String encryptedData, int itemIndex,
> char[] newValue)
> throws EncryptionException
> {
> }
> }
>
>
> And write some tests to prove that these work for all kinds of
> different situations. Something like permutations of the following:
>
> public void test_encryptDataBlockThenDecrypt() throws EncryptionException
> {
> String encryptedData = null;
>
> char[] value1 = "The quick brown fox jumped".toCharArray();
> String encryptedData2 = instance.encryptDataBlock(encryptedData,
> 0, value1);
>
> char[] value2 = "over the".toCharArray();
> encryptedData2 = instance.encryptDataBlock(encryptedData2, 1, value2);
>
> char[] value3 = "lazy dog".toCharArray();
> encryptedData2 = instance.encryptDataBlock(encryptedData2, 2, value3);
>
> char[] value1D = instance.decryptDataBlock(encryptedData2, 0);
> ArrayAssert.assertEquals(value1, value1D);
>
> char[] value2D = instance.decryptDataBlock(encryptedData2, 1);
> ArrayAssert.assertEquals(value2, value2D);
>
> char[] value3D = instance.decryptDataBlock(encryptedData2, 2);
> ArrayAssert.assertEquals(value3, value3D);
> }
>
>
>
>
> On Fri, Oct 5, 2012 at 10:37 AM, kadali narendra
> <narendra_...@hotmail.com> wrote:
>>
>> Hi All,
>>
>> I would like to know is there any way Cayenne supports MySQL DB
>> encryption/decryption seamlessly. Or else is there any third party libraries
>> like Jasypt is available, which we can use for encryption purpose.
>>
>> I know Jasypt can be integrated with Hibernate for encrypting/decrypting the
>> data stored in db thus providing db independence. So I don't have to worry
>> about on which db vendor I am using when deploying my application. I am
>> looking similar kind of libraries which is available for Cayenne.
>>
>> If any one happens to know such libraries please let me know. And also
>> please share your thoughts on encryption process on db + using cayenne.
>>
>> Thanks in advance for your help! :)
>>
>> - Naren
>>
