Crypto Module

• Spring crypto module provides classes for
  – symmetric encryption
  – key generation
  – password encoding

Encryptors

Set of classes for creating

• ByteEncryptor
  – Uses 256-bit AES using PKCS #5’s PBKDF2 (Password-Based Key Derivation Function #2) for encryption
  – Returns encrypted data in raw byte[] form
• TextEncryptor
  – Implements standard BytesEncryptor for encryption and returns result as hex-encoded strings
• Queryable TextEncryptor
  – The initialization vector for encryption is constant and generates the same encryption result for the same text
  – It should be implemented when the previously generated hash needs to be matched with the generated hash for the same text

Spring Security Crypto Module: Key Generators

• Set of classes for creating following types of key generators
  – BytesKeyGenerator
  – generates byte[] keys
  – KeyGenerators.secure Random() method generates a key of 8 bytes by default
  – Specify keysize while implementing KeyGenerators.secureRandom(16) for generating large size keys
  – KeyGenerators.shared() method generates the same key every time
  – StringKeyGenerator
  – generates hex-encoded string keys
  – KeyGenerators.string() generates 8-byte long string key by default

Spring Security Crypto Module: PasswordEncoder

• Provide password encoding feature by implementing PasswordEncoder Interface
• StandardPasswordEncoder, Md5PasswordEncoder and BCryptPasswordEncoder are some of the password encoders supported in spring security
  – StandardPasswordEncoder
  – Combines a plain password with a site-wide secret and 8-byte random salt, and implements SHA-256 hashing algorithm with 1024 iterations
  – Site-wide Key should not be stored along with the passwords to prevent attackers from gaining access to the stored passwords using a brute force attack
  – 1024 iterations enables creating a unique and strong key
  – The random salt ensures that a unique hash is generated on when the same text is supplied multiple times
  – BCryptPasswordEncoder
  – BCryptPasswordEncoder implements bcrypt hashing function based on Blowfish cipher
  – Bcrypt generates random salt to generate unique encoded hash of length 60 characters for the same text