4

I'm creating a simple web application and want to store hashed passwords into a database. I need the hash function for the authentication token too (concatenating the user name and the date and send them with their hash to the client as the token).

I've found that MessageDigest Java class can help me with this. Here is one link. The basic idea goes like this:

public String digestString (String stringToHash) throws NoSuchAlgorithmException {
    MessageDigest sha256 = MessageDigest.getInstance("SHA-256");        
    byte[] stringBytes = stringToHash.getBytes();
    byte[] stringDigest = sha256.digest(stringBytes);
    return new String(stringDigest);
}

What I don't get is: In this code, how can I set the hash key? I need to be sure that the same key will be used in the verification process. How can I do that if I don't set the key?

BTW: I know I should add a salt (256 bytes in this case) to the hashed text before hashing it.

Perception
  • 79,279
  • 19
  • 185
  • 195
Roy Tsabari
  • 2,000
  • 6
  • 26
  • 41
  • What do you mean by the hash "key"? If you mean something like HMAC, that would have to be done in a prior step, and then the bytes from that output would be fed into the `MessageDigest` method. The MessageDigest merely hashes a byte array without regard to its contents. – Peter Jan 04 '12 at 18:36
  • @Peter: Actually java has a Mac class and the Oracle providers implement HMAC, so that for example `Mac hmac = Mac.getInstance('HmacSHA1');` works. – President James K. Polk Jan 05 '12 at 01:26

1 Answers1

7

A hash uses no key. It's just a one-way algorithm. You give it something to digest, and it returns a hash. What it guarantees is that it's extremely hard to find the original input or any other input that leads to the same hash.

Your algorithm has two basic problems (besides the lack of salting):

  • it uses String.getBytes(), which relied on the default platform encoding, and thus differs from platform to platform. You should specify an encoding such as UTF-8.
  • it uses new String(byte[]), which has the same problem as above + an additional one: all the sequence of bytes are not valid character. To transform a purely binary byte array into a String, use a base64 encoding algorithm. apache commons codes has one.
JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
  • Thank you all for your answers. I just realized that this proccess is good just for passwords. it is not good for authentication token... I have to use a key that is hidden for the auth token. – Roy Tsabari Jan 05 '12 at 10:54