-1

I'm trying to write a new method for the code in Wasabi A/B's LoginToken.java class. The class defines an class of type LoginToken and implements a hashCode() method. As of now, the method reads:

@Override
public int hashCode() {
    return HashCodeBuilder.reflectionHashCode(this);
}

However, I understand that HashCodeBuilder is not that secure, from the Apache Commons description. The file itself imports import org.apache.commons.lang3.builder.HashCodeBuilder;. Ideally, I want to do SHA256; I got the idea here What should I change to achieve this?

Jerry Atric
  • 1
  • 3
  • 1
    There is no way for a hash function with an output of 32 bits to be secure in all the normal ways that cryptographic secure hash functions are. The usual security requirement for function like Java's `hashCode` is that they be resistant to hash flooding denial of service attacks when used to build data structures for lookups. – President James K. Polk Nov 13 '19 at 21:20
  • @JamesReinstateMonicaPolk how can I at least make this closest to "cryptographically secure" as possible? – Jerry Atric Nov 13 '19 at 21:31
  • Step 1: Figure out what you want to use the hash for. Step 2: Pick the already developed correct hash suggested by the answer to step 1. – President James K. Polk Nov 13 '19 at 21:33

1 Answers1

3

Hashcode in Java is used for different purposes than a SHA256 hashcode would be used for. Hashcode in Java is for use in collections. A SHA256 hashcode would be used for authentication of data. Yes, the two are both hashes, but they are not the same.

... plus there is no way to implement a SHA1 hashcode from the hashcode method in java.lang.Object, as this method is defined to return an int, and a SHA1 hashcode is going to be much bigger

ControlAltDel
  • 33,923
  • 10
  • 53
  • 80
  • Trimming is the easier way. – kelalaka Nov 13 '19 at 20:40
  • @kelalaka once you trim though, your hashcode is no longer going to be cryptographically secure – ControlAltDel Nov 13 '19 at 20:42
  • That is depending on [the requirement](https://crypto.stackexchange.com/q/64314/18298). How much collision resistance you want? How much pre-image and 2. pre-image you want. that is all must be answered. Remember SHA-224 is truncated SHA-256 with different initial values. – kelalaka Nov 13 '19 at 20:45
  • @kelalaka but then what's the point of calculating a SHA-256? It would create a lot of unnecessary processing just to return a much simpler hashcode. In fact this extra processing could very well make it more costly than hash collision – ControlAltDel Nov 13 '19 at 20:51
  • @kelalaka we simply want the most secure and easy to implement substitute to this function we can get. – Jerry Atric Nov 13 '19 at 21:14
  • @JerryAtric security has nothing to do with java.lang.Object.hashcode() making this method more *secure* achieves nothing – ControlAltDel Nov 13 '19 at 21:17
  • @ControlAltDel but this is not java.lang.Object.hashCode(), this is Apache's hashCodeBuilder, an instance of which is returned in the hashCode() implementation in question – Jerry Atric Nov 13 '19 at 21:20