Enveloped Encryption

[FET]

Hi everyone,
I have an application that uses a configuration file to store the
database access credentials. This application uses an authentication
based on Username-password. I would like to prevent these database
access credentials from being stored in clear.
But the problem with encrypting the configuration file with one
password is that another user cannot decrypt it with his password. So
what I need is a scheme in which the encrypted file can be decrypted
by each user using his/her own password.
Is there any way to do this in Java ? I want to avoid using PKCS7
Enveloped Data since there are no asym keys involved here.

Thanks in advance.

Best regards.

 

[FISH]

Hi everyone,
I have an application that uses a configuration file to store the
database access credentials. This application uses an authentication
based on Username-password. I would like to prevent these database
access credentials from being stored in clear.
But the problem with encrypting the configuration file with one
password is that another user cannot decrypt it with his password. So
what I need is a scheme in which the encrypted file can be decrypted
by each user using his/her own password.
Is there any way to do this in Java ? I want to avoid using PKCS7
Enveloped Data since there are no asym keys involved here.

The easiest way (probably the most secure too) is to configure the
database so it can be accessed with each user's username/password
directly. It's then a lot easier to manage who has access, and to
log who did what.

Now if you really have to have a single database u/p shared between
all users then one idea is to have the client connect to a server,
verify its identity (by using the user's own u/p) and then download
via encrypted stream the database u/p. It would also be possible to
cache this information in a file, encrypted against the user's own
u/p - although this may not be a wise move as such a file might be
translatable to plaintext by the user. (Not that they couldn't just
hunt through RAM while the client was running, but that's a lot more
difficult than being presented with a file!)


-FISH- ><>

 

[FET]

Hello,
Thats an excellent suggestion - the one about keeping the user passwd
same as the database passwd and settings appropriate permissions on
the tables to restrict access.
There is however one niggling problem - that of adding or removing a
user programmatically. If I add a user to my Application thru its GUI,
I will have to somehow add the user to the database along with proper
permissions on tables and set the password and so on. I have tried it
once before with ALTER USER WITH PASSWORD...or some query like that,
but it does have its own glitches.
Nevertheless, I will give it another shot, if it works out, nothing
like it.

Thanks once again.