I am using build in Jboss login-module. It has to encode what user entered as a password and compare with encrypted password in db.
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="base64"/>
For storing password in db I use following line
newUser.setPassword(DatatypeConverter.printBase64Binary(purePassword.getBytes("UTF-8")));
When I debug my application it appears:
encrypted password from DB = MTIzNDU2Nzg=
encrypted password from
user login = JdVa0oOqQAr0ZMdtcTwHrQ==
Questions:
What is happening? When do jboss use base64 algorithm and when md5
What is the difference between hashAlgorithm and hashEncoding?
What is happening? When do jboss use base64 algorithm and when md5
MD5 is the hash algorithm and Base64 is the output character encoding.
A character encoding is what defines which characters correspond to a byte or series of bytes.
MD5 is a cryptographic hash algorithm that produces a 16-byte output of 8-bit bytes, not characters. Not all 8-bit bytes are printable characters.
Base64 accepts an array of bytes and produces a printable character string. It is generally used the an array of bytes needs to be encoded to a printable character string.
What is the difference between hashAlgorithm and hashEncoding?
Some hash functions allow specification of the hash algorithm hashAlgorithm such as MD5, SHA1, SHA-256, etc that is used to hash the output encoding hashEncoding such as hexadecimal or Base64. This allows one function call to both hash the input with a selected hash algorithm and selected output encoding in one call.
Related
I am using org.apache.commons.codec.digest.DigestUtils for sha256 implementation like below.
DigestUtils.sha256Hex("myString")
this is returning 64characters hash String. But I need only 32characters hashed String.
How to hash the String value using SHA-256 with only 32 characters hashed value?
As the name SHA-256 implies, the hash consists of 256 bits, i.e. 64 characters (256 / 4 = 64) in the hex representation.
If you want 32 characters, you'd have to use the MD5 algorithm:
DigestUtils.md5Hex("myString")
But if you really need to use 32 characters from a 64 character string, you can use String#substring() - (which I would definitely not recommend, rather use MD5):
String hash64 = "9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08";
String hash32 = hash64.substring(0, 32): // 9F86D081884C7D659A2FEAA0C55AD015
I was referring this site for RC4 encryption.
there they are getting 2 outputs after encryption one hexadecimal output and other is hexadecimal converted to special characters.
like in the following image
I was able to replicate the hexadecimal output in java.
My problem is:
what type of conversion is this?
It seems to be the characters as obtained by interpreting the bytes as characters encoded using ISO-88659-1.
I am writing a basic password cracker for the MD5 hashing scheme against a Linux /etc/shadow file. When I use commons.codec's DigestUtils or Crypt libraries, the hash length for them are different (among other things).
When I use the Crypt.crypt(passwordToHash, "$1$Jhe937$") the output is a 22-character string. When I use the DigestUtils.md5[Hex](passwordToHash + "Jhe937")(or the Java MessageDigest class) the output is a 32-character string (after converted). This makes no sense to me.
aside: is there no easy way to convert the DigestUtils.md5(passwordToHash)'s byte[] to a String. I've tried all* the ways and I get all non-valid output: Nz_èJÓ_µù[î¬y
*all being: new String(byte[], "UTF-8") and convert to char then to String
The executive summary is that while they'll perform the same hashing, the output format is different between the two so the lengths will be different. Read on for details.
MD5 is a message digesting algorithm that produces a 16 byte hash value, always (assuming valid input, etc.) Those bytes aren't all printable characters, they can take any value from 0-255 for any of the bytes, while the printable characters in ASCII are in the range 32-126.
DigestUtils.md5(String) generates the MD5 of the string and returns a 16 element byte array. DigestUtils.md5Hex(String) is a convenience wrapper (I'm assuming, I haven't looked at the source, but that's how I'd write it :-) ) around DigestUtils.md5 that takes the 16 element byte array md5 produces and base16 encodes it (also known as hex encoding). That replaces each byte with the equivalent two hex characters, which is why you get a 32 character String out of it.
Crypt.crypt uses a special format that goes back to the original Unix method of storing passwords. It's been extended over the years to use different hash/encryption algorithms, longer salts, and additional features. It also encodes it's output to be printable text, which is where the length difference is coming from. By using a salt of "$1$...", you're saying to use MD5, so the password plus the salt will be hashed using MD5, resulting in 16 bytes as expected, but because those bytes aren't necessarily printable, the hash is base64 encoded (using a slightly different alphabet than the standard base64 encoding), which replaces 3 bytes with 4 printable characters. So 16 bytes becomes 16 / 3 * 4 = 21-1/3 characters, rounded up to 22.
On your aside, DigestUtils.md5 produces 16 bytes, but those bytes can have any value from 0 to 255 and are (effectively) random. new String(byte[], "UTF-8") says the bytes in the byte array are a UTF-8 encoding, which is a very specific format. new String does it's best to treat the bytes as a UTF-8 encoded string, but because they're really not, you generally get gibberish out. If you want something printable, you'll have to use something that takes random bytes, not bytes in a specific format (like UTF-8). Two popular options are base16/hex encoding, which you can get with DigestUtils.md5Hex, or base64, which you can get with Base64.encodeBase64String(DigestUtils.md5(pwd + salt)).
I've got a code like this where in the encoding i convert the letters to bytes and then flip them with unary bitwise complement ~ at the end convert it to String.
After that i want to decrypt it with a similar method. The problem is that for two similar input Strings (but not the same) i get the same encoded String with the same hashcode.
Does the String(bytes) method lose the information because the bytes are negative or can i retrieve it somehow without changing my encryption part?
thanx
static String encrypt(String s){
byte[] bytes=s.getBytes();
byte[] enc=new byte[bytes.length];
for (int i=0;i<bytes.length;i++){
enc[i]=(byte) ~bytes[i];
}
return new String(enc);
}
static String decrypt(String s){
...
You should never use new String(...) to encode arbitrary binary data. That's not what it's there for.
Additionally, you should only very rarely use the default platform encoding, which is what you get when you call String.getBytes() and new String(byte[]) without specifying an encoding.
In general, encryption converts binary data to binary data. The normal process of encrypting a string to a string is therefore:
Convert the string into bytes with a known encoding (e.g. UTF-8)
Encrypt the binary data
Convert the encrypted binary data back into a string using base64.
Base64 is used to encode arbitrary binary data as ASCII data in a lossless fashion. Decryption is just a matter of reversing the steps:
Convert the base64 text back to a byte array
Decrypt the byte array
Decode the decrypted byte array as a string using UTF-8
(Note that what you've got currently is not really encryption - it's obfuscation at best.)
Your effectively converting arbitrary byte data into a String.
That's not what that constructor is for.
The String constructor that takes a byte[] is meant to convert text in the platform default encoding into a String. Since what you have is not text, the behaviour will be "bad".
If, for example, your platform default encoding is a 8-bit encoding (such as ISO-8859-*), then you'll "only" get random characters.
If your platform default encoding is UTF-8 you'll probably get random characters and some replacement characters for malformed byte sequences.
To summarize: don't do that. I can't tell you what to do instead, since it's not obvious what you're trying to achieve.
I don't want to calculate a file's checksum, just to know if a given string is a valid checksum
SHA1 verifier:
public boolean isValidSHA1(String s) {
return s.matches("^[a-fA-F0-9]{40}$");
}
MD5 verifier:
public boolean isValidMD5(String s) {
return s.matches("^[a-fA-F0-9]{32}$");
}
Any 160-bit sequence is a possible SHA1 hash. Any 128-bit sequence is a possible MD5 hash.
If you're looking at the hex string representations of them, then a sha1 will look like 40 hexadecimal digits, and an md5 will look like 32 hexadecimal digits.
There is no such thing as an MD5 or SHA-1 string, at least not one that is standardized. All you can test for is the size of the byte array: 16 for MD5 (a hash with an output size of 128 bits) or 20 bytes for SHA-1 (a hash with an output size of 160 bits) encoded using hexadecimal encoding or base 64 encoding.
If you use md5sum then generally the checksum is shown as hexadecimal encoding, using only lowercase characters (followed by the file name or - for standard input). Hexadecimals are generally preferred, but hashes may also contain separator character or use a different encoding such as base 64 or base 64 URL (etc. etc.).
The byte size you are testing for might however belong to an entirely different hash such as RIPEMD that may also have the same output size. Or it may be another value with the same amount of bytes.
MD5 verifier:
public boolean isValidMD5(String s) {
return s.matches("[a-fA-F0-9]{32}");}
And remove "-" of the string value.
RegExp SHA-1
public static final String SHA_1 = "^([0-9A-Fa-f]{2}[:]){19}([0-9A-Fa-f]{2})$";
public boolean isValidSHA1(String s) {
return s.matches(SHA_1);
}
boolean isValidSHA1 = isValidSHA1("12:45:54:3A:99:24:52:EA...");