CODEWITHSUNDEEP
java
Sandeep Chatterjee
Sandeep Chatterjee

Reputation: 3247

Java salted password hashing

I am using this tutorial to implement salted password hashing and would store the hash and salt in database.

Code:

/**
 * Creates the salted hash.
 *
 * @param password
 *            the password
 * @return the map
 */
@SuppressWarnings("unused")
private static Map<byte[], byte[]> createSaltedHash(String password) {

    Map<byte[], byte[]> saltedHash = new HashMap<byte[], byte[]>();
    byte[] hash = null;
    byte[] salt = null;
    final String PBKDF2_ALGORITHM = "PBKDF2WithHmacSHA1";

    // The following may be changed without breaking existing hashes.
    final int SALT_BYTE_SIZE = 24;
    final int HASH_BYTE_SIZE = 24;
    final int PBKDF2_ITERATIONS = 1000;
    final int ITERATION_INDEX = 0;
    final int SALT_INDEX = 1;
    final int PBKDF2_INDEX = 2;

    SecureRandom secureRandom = new SecureRandom();
    salt = new byte[SALT_BYTE_SIZE];
    secureRandom.nextBytes(salt);
    //byte[] hash = pbkdf2(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE);

    PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt,
            PBKDF2_ITERATIONS, (HASH_BYTE_SIZE * 8));
    try {
        SecretKeyFactory skf = SecretKeyFactory
                .getInstance(PBKDF2_ALGORITHM);
        hash = skf.generateSecret(spec).getEncoded();
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    } catch (InvalidKeySpecException e) {
        e.printStackTrace();
    }

    System.out.println("HASH:" + hash); // Store this in DB
    System.out.println("SALT:" + salt); // Store this in DB
    saltedHash.put(hash, salt);
    return saltedHash;
}

Question:

Why is it that on changing the password string, the salt and hash values remain unchanged?

Upvotes: 0

Views: 460

Answers (3)

kervin
kervin

Reputation: 11858

You'd need to print the byte array as a string...

Using Apache Commons Codec to print the contents of the byte[]

System.out.println( String.format("HASH : %s", Hex.encodeHexString( hash ) ));
System.out.println( String.format("SALT : %s", Hex.encodeHexString( salt ) ));

Upvotes: 2

Nicolai
Nicolai

Reputation: 5797

I tried your last code and I see that each time hash and salt have new values.

Use Arrays.toString to dump values, you'll see that both values change:

    System.out.println("HASH:" + Arrays.toString( hash ) ); // Store this in DB
    System.out.println("SALT:" + Arrays.toString( salt ) ); // Store this in DB

Upvotes: 2

Hakim
Hakim

Reputation: 504

You should use :

System.out.println("HASH:" + Arrays.toString(hash)); // Store this in DB
System.out.println("SALT:" + Arrays.toString(salt)); // Store this in DB

Upvotes: 2

Related Questions