Encrypt Java password with Hash sha256

Asked

Viewed 6,374 times

0

i need to compare the password that the user is placing on a login screen with the one saved in the database, I found that when the user is registered is used to hash sha256 to encrypt the password, but I’m unable to find how to encrypt a variable string with the hash sha256, if they have an example of how to do it or a hint to develop it.

4 answers

3

/!\ I have very little knowledge of Java!

The SHA256 was not made for password purpose, for passwords you must use PBDKF2 with SHA256. However prefer to choose Bcrypt or Argon2i, PBDKF2 is "ok" but by many is not considered the best.

The difference between Bcrypt/PBDKF2/Argon2i is that they allow to configure the difficulty, the pure SHA256 is very fast and therefore bad for this purpose. Remember that "human" passwords are usually short and limited, while PBDKF2 iterates to "take longer" increasing the cost of Joy-force.

The password should be compared in Constant-time, that is to compare the whole string and not just "die" when a character is different, if this is done it will be exposed to side-Channel attacks. Alternatively, use bitwise comparisons (XOR) across the string, so the processing time will be the same as if the first bit is different or only the last.


That said in Java you can use this implementation, that up to where I analyzed supply the above two questions, makes bitwise comparisons (via slowEquals()) and by default has a reasonable number of iterations, which can be changed without breaking the hashes already generated. The other problem is whether the conversion to base64 is safe from cache attacks and if the random number generation source (for the salt) is safe, this I can not analyze because I have no knowledge in Java.

Such implementation uses originally the PBDKF2 with SHA-1, but the Java8 has support for the PBKDF2WithHmacSHA256, or is SHA256, according to this answer.

Following this implementation of PBKDF2, you use:

String hash = createHash("senha");

Then save it in the database, for example will result in sha1:64000:18:5Ybc8Ue3EBnLF5Q1eRZj5cUbnH9OGYYG:mTb6Xd35sqw1B9gAcE87vwya, since it has the salt of 5Ybc8Ue3EBnLF5Q1eRZj5cUbnH9OGYYG and 64000 iterations.

Afterwards do:

verifyPassword("senha", "sha1:64000:18:5Ybc8Ue3EBnLF5Q1eRZj5cUbnH9OGYYG:mTb6Xd35sqw1B9gAcE87vwya")

To verify that the password saved from the database is equal to the password entered.

2


import java.security.*

String password = '201703281329'

MessageDigest digest = MessageDigest.getInstance("SHA-256")
digest.update(password.getBytes("ASCII")) //mudar para "UTF-8" se for preciso

byte[] passwordDigest = digest.digest()

String hexString = passwordDigest.collect { String.format('%02x', it) }.join()
  • I would need it to be a language that I could use in groovy script which is what the platform I’m developing allows

  • You may be useful: http://gik.firetrot.com/index.php/2013/04/17/hashing-password-in-java-and-groovy/

  • I managed with your suggestion to solve my problem. :)

  • You could just update your answer with the explanation of what your code does on each line?

0

I don’t know if that’s what you want but

  package teste;

  import java.io.UnsupportedEncodingException;
  import java.security.MessageDigest;
  import java.security.NoSuchAlgorithmException;

 public class TesteAlgoritmo {

       public static void main(String args []) throws NoSuchAlgorithmException, UnsupportedEncodingException {

                 String senha = "admin";

                 MessageDigest algorithm = MessageDigest.getInstance("SHA-256");
                 byte messageDigest[] = algorithm.digest(senha.getBytes("UTF-8"));

                 System.out.println(messageDigest);
       }

}

  • This code I already found exactly the same here: http://www.devmedia.com.br/howfunctiona-hash-hash-em-java/31139 But it didn’t work

  • can you post your code? it is easier

  • I don’t have a code, I know what the password looks like after going through the Hash, and I know what the original password looks like, what I’m doing is assigning to a variable of type String the initial value of the password and what I need is a code that applies to that string to Hash, and then be able to compare if what was found is the same as the one registered in the database

0

See if that’s what you need...

public static String encriptPassword(String password) throws NoSuchAlgorithmException {
        MessageDigest messageDigest =  MessageDigest.getInstance("SHA-256");
        messageDigest.update(password.getBytes("UTF-8"));
        return new BigInteger(1, messageDigest.digest()).toString(16);
    }
  • I tried that your code in groovy, and the same did not do what was proposed

  • Can you give more details on why you didn’t do what you wanted? or what you’re really trying to do...

  • I don’t have a code, I know what the password looks like after going through the Hash, and I know what the original password looks like, what I’m doing is assigning to a variable of type String the initial value of the password and what I need is a code that applies to that string to Hash, and then be able to compare if what was found is the same as the one registered in the database

  • @R.Santos Okay, I get it, well you said that the password is already encrypted in the bank... Not knowing how this encryption was made you will not be able to find it ever,usually when a password is encrypted is used a salt is something that can leave your key unique, for example, my salt will be the String carro even if someone knows that I use the sha256 encryption she will not know my salt and will not find the correct password, basically what you are trying to break the sha256 kkk, Without the code of how the guy did to encrypt the password that is in the search will not work

  • the strange thing is that this site: http://hashtoolkit.com/generate-hash/? text=d-link123 is doing exactly what I need, I have the password d-link123 for testing and what the site shows me is what is in the bank, probably not have a salt so

  • My code generated the same number on the site >.<

Show 1 more comment

Browser other questions tagged

You are not signed in. Login or sign up in order to post.