Secure way to transmit and store data

Question

I'm writing a Client Server application. The communication between Client and Server uses Java RMI. I've set up RMI so that it uses SSLSockets, so the communication is secure. But now I want my Client to enter a password, the password needs to be send to the Server and stored there in a secure way.

• Question 1: Do I need to encrypt this password when I send it, or is the use of SSLSockets enough?

• Question 2: I was thinking about encrypting it using a hashfunction (like SHA1) on the Server and then comparing it with the stored value.

• Question 3: How can I store these passwords in a secure way? I want to store them locally. Should I create a database and store the encrypted passwords? What are the common practices for this?

Answer 1

Question 1:

It depends on security requirements. For most cases it's enough.

Question 2:

Here you can find a way to calculate SHA1 of string: Java String to SHA1

Question 3:

Storing passwords in some particular table in database is quite a common practice. I recommend to use hashed passwords together with so-called salt, so the protocol is:

• User is registering or changing password and sending you his/her password.
• We generate some looooooooong random string which we gonna use as salt.
• Now, we need to calculate the value we're going in the database.

Assuming you have sha1() method that performs hash calculation:

String salt = generateLongRandomString();
String hashToStore = sha1(sha1(password) + salt);

• Now, we need to store in database at least three fields for each user: username or something similar, maybe email; hashToStore; salt;

Ok, next step is authentication.

• User wants to authenticate and send you his password.
• You retrieve stored hash and salt for this user, searching by username or email;
• You recalculate hash using the formula I wrote above and compare it with the stored value. If it matches, the user is authentic and you may inform his/her about it.