XML Password Obfuscation

Question

Is there a way to obfuscate part of an XML attribute?

I want to encrypt the user= and password= part of the following xml attribute so no one looking at the file can see the password. Is there any way to do that using Java DOM?

<connectionString="Data Source=Winserver\sqlexpress;Initial Catalog=haven;Integrated Security=false;user=admin;password="/>

If you can answer with Java code, that would be great.

Thank you!

Answer 1

It is possible to encrypt XML Data.

Have a look at http://www.w3.org/Encryption/2001/ for more information.

I guess there are many ways to do that in Java, denpending on your XML Api you already have build in support for that. You may also wanna have a look at java digital signature api http://java.sun.com/developer/technicalArticles/xml/dig_signature_api/

Answer 2

I am not a java guy though. But I can help you with some procedures.

1. Find some encryption algorithm and base64 encoder
2. Encrypt your password with a static seed that your program knows only and base64 encode it.
3. Put the base64 encoded string next to password=

For decoding

1. Parse the base64 encoded portion of the password.
2. Decode the password with base64.
3. And decrypt the password with your seed.
4. Replace the base64 encoded string with your decoded/decrypted password.

You can try encryption algorithms like AES, TwoFish.

Answer 3

I believe the common way of keeping the connection string of an ASP.NET application private, is to put the connection string in the registry of the web server and then just load that value in the ASP website.

But even if you were opposed to the registry or wanted a cross-platform method, I think your best bet is to put the string someplace where outsiders can't read it. This may be outside the root web site directory (if this is a website), or prompt the user for it (don't store it at all), or hide it someplace else. On a Linux box, you could even chmod 700, to limit access only to the user that runs the Java program.