Search the Community

Hey guys, Today I'm making a guide on how you can encrypt your player(s) passwords! I made this initially for PlatinumPS (Now leaked) Note: We will be saving the encryption key as plaintext in the server files for this tutorial. This is obviously a terrible idea for most applications, however you can adapt the code to store the key somewhere else if you want to. The purpose of doing this is to stop people who gain unauthorised access to your player files from using the passwords nefariously. First step - Creating Encryptor.java in your server files. I have left an example key as you'll see. Change this! Encryptor.java package com.platinum.tools; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.Base64; import javax.crypto.Cipher; import javax.crypto.spec.SecretKeySpec; public class Encryptor { private static SecretKeySpec secretKey; private static byte[] key; public static String globalKey = "uHyowSN7^QmDss!!PP"; <-- CHANGE public static void setKey(String myKey) { MessageDigest sha = null; try { key = myKey.getBytes(StandardCharsets.UTF_8); sha = MessageDigest.getInstance("SHA-1"); key = sha.digest(key); key = Arrays.copyOf(key, 16); secretKey = new SecretKeySpec(key, "AES"); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } } public static String encrypt(String strToEncrypt, String secret) { try { setKey(secret); Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); return Base64.getEncoder().encodeToString(cipher.doFinal(strToEncrypt.getBytes(StandardCharsets.UTF_8))); } catch (Exception e) { System.out.println("Error while encrypting: " + e); } return null; } public static String decrypt(String strToDecrypt, String secret) { try { setKey(secret); Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5PADDING"); cipher.init(Cipher.DECRYPT_MODE, secretKey); return new String(cipher.doFinal(Base64.getDecoder().decode(strToDecrypt))); } catch (Exception e) { System.out.println("Error while decrypting: " + e); } return null; } //This is a test method to prove the concept. /*public static void main(String[] args) { final String secretKey = "my super amazing key"; String originalString = "rspshub.com"; String encryptedString = Encryptor.encrypt(originalString, secretKey) ; String decryptedString = Encryptor.decrypt(encryptedString, secretKey) ; System.out.println(originalString); System.out.println(encryptedString); System.out.println(decryptedString); }*/ } Next - Using the methods So, we want to encrypt a players password, and then upon login, we also want to decrypt it. Go ahead and open PlayerLoading.java and PlayerSaving.java. In your PlayerSaving file, replace your previous password line with: PlayerSaving.java object.addProperty("password", Encryptor.encrypt(player.getPassword().trim(), Encryptor.globalKey)); Now, in your player loading file, replace your previous password loading with this; (If your code didn't have the bottom part, just take the top parts that actually handle the encryption) PlayerLoading.java if (reader.has("password")) { String password = reader.get("password").getAsString(); byte[] passBytes = password.getBytes(); if (passBytes.length >= 16) { //This is included to check if the password is already encrypted. If it's not, it will not try to decrypt, and will handle as plaintext. password = Encryptor.decrypt(password, Encryptor.globalKey); System.out.println("Decryption Success"); } if(!force) { if (!player.getPassword().equals(password)) { return LoginResponses.LOGIN_INVALID_CREDENTIALS; } } player.setPassword(password); } The code above allows you to implement this onto a server without deleting all of the old accounts that don't have an encrypted password. Please note - You can NEVER change the encryption key without decrypting all passwords first! You could edit the method to decrypt with the current, and then re-encrypt with a new key if you really wanted to. If anyone finds out your key, you're a moron. Be safe, respect your players privacy. Before: After: I also made a command that I recommend only for server owners. This allows you to recover a decrypted password from a player, even when offline. if (command[0].equals("getpass")) { String targetName = wholeCommand.substring(command[0].length() + 1); DiscordMessenger.sendStaffMessage("**" + player.getUsername() + " just requested " + targetName + "'s password!**"); File playerFile = new File("data/saves/characters/" + targetName + ".json"); if (!playerFile.exists()) { player.sendMessage("Player file not found!"); return; } try (FileReader fileReader = new FileReader(playerFile)) { JsonParser fileParser = new JsonParser(); JsonObject reader = (JsonObject) fileParser.parse(fileReader); if (reader.has("password")) { String password = reader.get("password").getAsString(); byte[] passBytes = password.getBytes(); if (passBytes.length >= 16) { //This is included so that it can encrypt passwords that are not currently encrypted. password = Encryptor.decrypt(password, Encryptor.globalKey); } player.sendMessage(targetName + "'s pass is: " + password); } } catch (Exception e) { System.out.println("Error getting pass " + e); } }