CODEWITHSUNDEEP
javaspring-securitysha256
user5268786
user5268786

Reputation:

Compare two hashed password using same salt using SHA-256 algorith in Java, Spring security?

I need some guidance on the scenario where I need to check the password coming from UI form (i.e, Authentication object) which I need to hashed using SHA-256 + constant salt(before making comparison) and password coming from DB (DB also has hashed password + salt) using Spring Security.

I am looking to compare these two different hashed value generated using same SALT value. How we can do it in java? Could anyone please share me a sample code?

Upvotes: 1

Views: 16281

Answers (2)

jHilscher
jHilscher

Reputation: 1868

You could simply compare the two password strings passwordA.equals(passwordB) ...

This has some security shortcomings:

  1. Passwords should not be handled as strings, but as char or byte arrays: see here why

  2. An Equal comparison is (theoretically) vulnerable to a timing-attack: see a discussion about a solution in java

  3. It might be wise to use standard-tool to do security related things (even when they seem to be simple). Spring security has a ton of tools that can do that for you. Have a look at BCryptPasswordEncoder for example. Using well tested and maintained frameworks for security purposes is always a good idea.

     BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
 String hashedPassword = passwordEncoder.encode(password);
 ...
 boolean result = passwordEncoder.matches(rawPassword, hashedPassword);

Also: Use a proper Algorithm for Password-Hashing! See this Answer on SO for some proposals

SHA-256 is not one of them. Spring Security gives you the right tools for the jobs, so you could just use them.

Upvotes: 6

PAA
PAA

Reputation: 12005

It looks to me you're looking to compare two separate hashed values created using same salt. Am I right ? If yes, so here is the sample program taking a reference from https://ashishpshukla.wordpress.com/2010/07/02/sample-java-code-for-password-encryption-using-secure-hash-algorithm-sha-256/

import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;

public class PasswordEncoder {
    private static PasswordEncoder instance;
    private final static int ITERATION_COUNT = 5;

    private PasswordEncoder() {  }

    public static synchronized PasswordEncoder getInstance() {
        if (instance == null) {
            PasswordEncoder returnPasswordEncoder = new PasswordEncoder();
            return returnPasswordEncoder;
        }
        else
            return instance;
    }

    public synchronized String encode(String password, String saltKey)throws NoSuchAlgorithmException, IOException {
        String encodedPassword = null;
        byte[] salt = base64ToByte(saltKey);

        MessageDigest digest = MessageDigest.getInstance("SHA-256");
        digest.reset();
        digest.update(salt);

        byte[] btPass = digest.digest(password.getBytes("UTF-8"));
        for (int i = 0; i < ITERATION_COUNT; i++) {
            digest.reset();
            btPass = digest.digest(btPass);
        }

        encodedPassword = byteToBase64(btPass);
        return encodedPassword;
    }

    private byte[] base64ToByte(String str) throws IOException {
        BASE64Decoder decoder = new BASE64Decoder();
        byte[] returnbyteArray = decoder.decodeBuffer(str);
        return returnbyteArray;
    }

    private String byteToBase64(byte[] bt) {
        BASE64Encoder endecoder = new BASE64Encoder();
        String returnString = endecoder.encode(bt);
        return returnString;
    }

    public static void main(String[] args) throws NoSuchAlgorithmException, IOException {
        String password = "Secrete@343";
        String saltKey = "PveFT7isDjGYFTaYhc2Fzw==";
        String hash1,hash2 = null;

        // Assume from UI
        PasswordEncoder encoder1 = PasswordEncoder.getInstance();
        hash1 = encoder1.encode(password, saltKey);
        System.out.println(hash1);

        // Assume the same present in db
        PasswordEncoder encoder2 = PasswordEncoder.getInstance();
        hash2 = encoder2.encode(password, saltKey);
        System.out.println(hash2);

        if(hash1.equalsIgnoreCase(hash2))
            System.out.println("Both hash Matches..");
        else
            System.out.println("Hash matches fails..");
    }
}

The output: 

8WgbLik5EbdtJY4OWm2ZQ0tHiU2lmvXNVrPhFDz3W2Y=
8WgbLik5EbdtJY4OWm2ZQ0tHiU2lmvXNVrPhFDz3W2Y=
Both hash Matches..

Upvotes: 2

Related Questions