What would you do if your encrypted credentials and the key got compromised?

#api #security #tutorial #blog

What will you do if your encrypted credentials and key got compromised?

This is a rhetorical question.

Securing API using API keys, tokens or password is common in any application. In the case of basic authentication generally, we try to store the credentials after encrypting them. Here let's see how we can use one-way hash functions like md5 or SHA-256 to achieve basic authentication.

The Idea

The idea is to have the credentials converted to hash strings using hash functions for the first time or during sign-up. During login, convert the user entered credentials to hash string and check for equality. Simple as that :D.

Here we aren't storing any encrypted passwords, so even if there is an attack on your application and data is compromised, your credentials are safe.

The Implementation

For a complete implementation of the same using java and spring boot (click here)

let me do a walkthrough :

so we have a minimal controller interface and implementation

@RestController
public interface LoginApi {

    @GetMapping("/user/login")
    @ResponseBody
    String userLogin();
}

@Component
public class LoginApiImpl implements LoginApi{

    /**
     * User login string.
     *
     * @return the string
     */
    @Override
    public String userLogin() {
        return "Login Successful";
    }
}

Then we have the filter implementation to verify authentication
Basic Authentication Filter Implementation

The service implementation is where we check the hashed string and given credential, for simplicity let's focus on password.

/**
 * The type Login service.
 */
@Service
public class LoginService {

    /**
     * The constant USER.
     */
    private static final String USER = "ADMIN";

    /**
     * The constant PASSWORD.
     * Actual value is : password
     */
    private static final String PASSWORD = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8";

    /**
     * Check authentication boolean.
     *
     * @param user     the user
     * @param password the password
     * @return the boolean
     * @throws NoSuchAlgorithmException the no such algorithm exception
     */
    public boolean checkAuthentication(String user,String password) throws NoSuchAlgorithmException {
        String generatedHash = generateHash(password);
        if(PASSWORD.equals(generatedHash) && USER.equals(user))
            return true;
        return false;
    }

    /**
     * Generate hash string.
     *
     * @param password the password
     * @return the string
     * @throws NoSuchAlgorithmException the no such algorithm exception
     */
    public  String generateHash(String password) throws NoSuchAlgorithmException {
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        byte[] hash =  md.digest(password.getBytes(StandardCharsets.UTF_8));
        BigInteger number = new BigInteger(1, hash);
        StringBuilder hexString = new StringBuilder(number.toString(16));
        while (hexString.length() < 64)
        {
            hexString.insert(0, '0');
        }
        return hexString.toString();
    }
}

finally, let's run the code and hit the API {in this example username is: ADMIN and password is: password}

Here is the curl for the above API: curl --location --request GET 'http://localhost:8443/service/api/v1/user/login' \
--header 'Authorization: Basic QURNSU46cGFzc3dvcmQ='