Flub 1,286 Posted October 6, 2021 Report Share Posted October 6, 2021 Hey guys, Today I'm making a guide on how you can encrypt your player(s) passwords! I made this initially for PlatinumPS (Now leaked) Note: We will be saving the encryption key as plaintext in the server files for this tutorial. This is obviously a terrible idea for most applications, however you can adapt the code to store the key somewhere else if you want to. The purpose of doing this is to stop people who gain unauthorised access to your player files from using the passwords nefariously. First step - Creating Encryptor.java in your server files. I have left an example key as you'll see. Change this! Encryptor.java package com.platinum.tools; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.Base64; import javax.crypto.Cipher; import javax.crypto.spec.SecretKeySpec; public class Encryptor { private static SecretKeySpec secretKey; private static byte[] key; public static String globalKey = "uHyowSN7^QmDss!!PP"; <-- CHANGE public static void setKey(String myKey) { MessageDigest sha = null; try { key = myKey.getBytes(StandardCharsets.UTF_8); sha = MessageDigest.getInstance("SHA-1"); key = sha.digest(key); key = Arrays.copyOf(key, 16); secretKey = new SecretKeySpec(key, "AES"); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } } public static String encrypt(String strToEncrypt, String secret) { try { setKey(secret); Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); return Base64.getEncoder().encodeToString(cipher.doFinal(strToEncrypt.getBytes(StandardCharsets.UTF_8))); } catch (Exception e) { System.out.println("Error while encrypting: " + e); } return null; } public static String decrypt(String strToDecrypt, String secret) { try { setKey(secret); Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5PADDING"); cipher.init(Cipher.DECRYPT_MODE, secretKey); return new String(cipher.doFinal(Base64.getDecoder().decode(strToDecrypt))); } catch (Exception e) { System.out.println("Error while decrypting: " + e); } return null; } //This is a test method to prove the concept. /*public static void main(String[] args) { final String secretKey = "my super amazing key"; String originalString = "rspshub.com"; String encryptedString = Encryptor.encrypt(originalString, secretKey) ; String decryptedString = Encryptor.decrypt(encryptedString, secretKey) ; System.out.println(originalString); System.out.println(encryptedString); System.out.println(decryptedString); }*/ } Next - Using the methods So, we want to encrypt a players password, and then upon login, we also want to decrypt it. Go ahead and open PlayerLoading.java and PlayerSaving.java. In your PlayerSaving file, replace your previous password line with: PlayerSaving.java object.addProperty("password", Encryptor.encrypt(player.getPassword().trim(), Encryptor.globalKey)); Now, in your player loading file, replace your previous password loading with this; (If your code didn't have the bottom part, just take the top parts that actually handle the encryption) PlayerLoading.java if (reader.has("password")) { String password = reader.get("password").getAsString(); byte[] passBytes = password.getBytes(); if (passBytes.length >= 16) { //This is included to check if the password is already encrypted. If it's not, it will not try to decrypt, and will handle as plaintext. password = Encryptor.decrypt(password, Encryptor.globalKey); System.out.println("Decryption Success"); } if(!force) { if (!player.getPassword().equals(password)) { return LoginResponses.LOGIN_INVALID_CREDENTIALS; } } player.setPassword(password); } The code above allows you to implement this onto a server without deleting all of the old accounts that don't have an encrypted password. Please note - You can NEVER change the encryption key without decrypting all passwords first! You could edit the method to decrypt with the current, and then re-encrypt with a new key if you really wanted to. If anyone finds out your key, you're a moron. Be safe, respect your players privacy. Before: After: I also made a command that I recommend only for server owners. This allows you to recover a decrypted password from a player, even when offline. if (command[0].equals("getpass")) { String targetName = wholeCommand.substring(command[0].length() + 1); DiscordMessenger.sendStaffMessage("**" + player.getUsername() + " just requested " + targetName + "'s password!**"); File playerFile = new File("data/saves/characters/" + targetName + ".json"); if (!playerFile.exists()) { player.sendMessage("Player file not found!"); return; } try (FileReader fileReader = new FileReader(playerFile)) { JsonParser fileParser = new JsonParser(); JsonObject reader = (JsonObject) fileParser.parse(fileReader); if (reader.has("password")) { String password = reader.get("password").getAsString(); byte[] passBytes = password.getBytes(); if (passBytes.length >= 16) { //This is included so that it can encrypt passwords that are not currently encrypted. password = Encryptor.decrypt(password, Encryptor.globalKey); } player.sendMessage(targetName + "'s pass is: " + password); } } catch (Exception e) { System.out.println("Error getting pass " + e); } } Link to comment Share on other sites More sharing options...
shadowisdom 1 Posted February 6, 2022 Report Share Posted February 6, 2022 thanks for this Link to comment Share on other sites More sharing options...
0117be 66 Posted June 2, 2022 Report Share Posted June 2, 2022 im sure it will come in handy for many. Link to comment Share on other sites More sharing options...
Sparry 0 Posted May 10, 2023 Report Share Posted May 10, 2023 Wow thanks! Link to comment Share on other sites More sharing options...
umix 0 Posted June 11, 2023 Report Share Posted June 11, 2023 Its cool to see how you set this code up. Thanks for sharing. Link to comment Share on other sites More sharing options...
Fat nerd 0 Posted July 13, 2023 Report Share Posted July 13, 2023 Thanks for this Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now