[Ruse] How To Encrypt Player Passwords!

Hey guys,

Today I’m making a guide on how you can encrypt your player(s) passwords!

Note: We will be saving the encryption key as plaintext in the server files. This is obviously a terrible idea for most applications, however you can adapt the code to store the key somewhere else if you want to. Maybe even have it saved in a txt file on a random domain somewhere!

The purpose of doing this is to stop people who gain unauthorised access to your player files from using the passwords nefariously.

First step - Creating Encryptor.java in your server files.

I have left an example key as you’ll see. You should change this!

Encryptor.java
package com.platinum.tools;


import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Base64;

import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class Encryptor {

	private static SecretKeySpec secretKey;
	private static byte[] key;

	public static String globalKey = "uHyowSN7^QmDss!!PP";

	public static void setKey(String myKey)
	{
		MessageDigest sha = null;
		try {
			key = myKey.getBytes(StandardCharsets.UTF_8);
			sha = MessageDigest.getInstance("SHA-1");
			key = sha.digest(key);
			key = Arrays.copyOf(key, 16);
			secretKey = new SecretKeySpec(key, "AES");
		}
		catch (NoSuchAlgorithmException e) {
			e.printStackTrace();
		}
	}

	public static String encrypt(String strToEncrypt, String secret)
	{
		try
		{
			setKey(secret);
			Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
			cipher.init(Cipher.ENCRYPT_MODE, secretKey);
			return Base64.getEncoder().encodeToString(cipher.doFinal(strToEncrypt.getBytes(StandardCharsets.UTF_8)));
		}
		catch (Exception e)
		{
			System.out.println("Error while encrypting: " + e);
		}
		return null;
	}

	public static String decrypt(String strToDecrypt, String secret)
	{
		try
		{
			setKey(secret);
			Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5PADDING");
			cipher.init(Cipher.DECRYPT_MODE, secretKey);
			return new String(cipher.doFinal(Base64.getDecoder().decode(strToDecrypt)));
		}
		catch (Exception e)
		{
			System.out.println("Error while decrypting: " + e);
		}
		return null;
	}

	//This is a test method to prove the concept.
	/*public static void main(String[] args)
	{
		final String secretKey = "my super amazing key";

		String originalString = "rspshub.com";
		String encryptedString = Encryptor.encrypt(originalString, secretKey) ;
		String decryptedString = Encryptor.decrypt(encryptedString, secretKey) ;

		System.out.println(originalString);
		System.out.println(encryptedString);
		System.out.println(decryptedString);
	}*/
}

Next - Using the methods

So, we want to encrypt a players password, and then upon login, we also want to decrypt it.

Go ahead and open PlayerLoading.java and PlayerSaving.java.

In your PlayerSaving file, replace your previous password line with:

PlayerSaving.java
object.addProperty("password", Encryptor.encrypt(player.getPassword().trim(), Encryptor.globalKey));

Now, in your player loading file, replace your previous password loading with this;
(If your code didn’t have the bottom part, just take the top parts that actually handle the encryption)

PlayerLoading.java
if (reader.has("password")) {
				String password = reader.get("password").getAsString();
				byte[] passBytes = password.getBytes();
				if (passBytes.length >= 16) { //This is included to check if the password is already encrypted. If it's not, it will not try to decrypt, and will handle as plaintext.
					password = Encryptor.decrypt(password, Encryptor.globalKey);
					System.out.println("Decryption Success");
				}
				if(!force) {
					if (!player.getPassword().equals(password)) {
						return LoginResponses.LOGIN_INVALID_CREDENTIALS;
					}
				}
				player.setPassword(password);
	}

The code above allows you to implement this onto a server without deleting all of the old accounts that don’t have an encrypted password.

Please note - You can NEVER change the encryption key! You would have to edit the method to decrypt with the current, and then re-encrypt with a new key.

If anyone finds out your key, you’re a moron.

Be safe, respect your players privacy.

Before:

image

After:

Dog Thank You GIF by MOODMAN