CODEWITHSUNDEEP
javasecurityservletscryptographysalt-cryptography
student guy
student guy

Reputation: 57

How do I compare salt with a generated password?

So I'm trying to compare my original password to a password that was salted. I know how to compare a hash password, I take the original password add hash to it and it works. However, I don't know how to compare the salt. 

public static String saltPassword(String password) throws NoSuchAlgorithmException{
     String salt = getSalt();
     return password + salt;
 }
public static String getSalt(){
     Random r = new SecureRandom();
     byte[] saltBytes = new byte[32];
     r.nextBytes(saltBytes);
     return Base64.getEncoder().encodeToString(saltBytes);
 }

What do I have to do to compare the original password with this?

this is literally what my assignment says, "Compare the generated password with the stored salt and hashed password".

Upvotes: 1

Views: 1204

Answers (3)

Stephen C
Stephen C

Reputation: 719259

How do I compare salt with a generated password?

What do I have to do to compare the original password with this?

The answer is that you don't do either if these things.

To register the original password you do the following:

  1. Obtain a salt1
  2. Combine the original password with the salt
  3. Hash that.
  4. Store the salt and the hash.

You then discard the original password.

To check that a supplied password you do the following:

  1. Lookup the stored hash and the corresponding salt that were created when registering; see above.
  2. Combine the supplied password and salt in the same way as above.
  3. Hash that as above.
  4. Compare the resulting hash with the stored hash. If they are the same, then the supplied password is the correct password.

As you can see, you don't compare either the salt or the original password with anything.

But it is also essential that you use the same salt when generating the hashes for the original password and the password that you are checking. If you don't, the password check doesn't work.

1 - The salt is just a number or string. Ideally the salt values should be different. The purpose of the salt is to avoid a so-called "rainbow table" attack to recover the original password from a stolen (un-salted) password hash. If there are (say) a million possible salt values, then the bad guys need to generate a million different rainbow tables. Generating and storing many rainbow tables becomes impractical.

Upvotes: 0

Mohsen Zamani
Mohsen Zamani

Reputation: 506

You should also store the salt. Salt is used to prevenet generating the same hashed password when two user choose same password. something like the following codes can be used for saving password as hashedPassord and verifying entered password.It's not complete but can be used as a sample code.

private static void savePassword(String rawPassword) throws InvalidKeySpecException, NoSuchAlgorithmException {
    byte[] salt = getSalt();
    String hashedPassword = getHashedPassword(rawPassword, salt);
    String encodedSalt = base64Encode(salt);

    /* todo: store hashPassword and encodedSalt */
}

private static boolean verifyPassword(String rawPassword, String hashedPassword, String encodedSalt) throws InvalidKeySpecException, NoSuchAlgorithmException {
    return Objects.equals(hashedPassword, getHashedPassword(rawPassword, base64Decode(encodedSalt)));
}

private static String getHashedPassword(String rawPassword, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException {
    KeySpec spec = new PBEKeySpec(rawPassword.toCharArray(), salt, 65536, 128);
    SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
    byte[] hash = factory.generateSecret(spec).getEncoded();
    return base64Encode(hash);
}

private static byte[] getSalt() {
    Random r = new SecureRandom();
    byte[] saltBytes = new byte[32];
    r.nextBytes(saltBytes);
    return saltBytes;
}

private static String base64Encode(byte[] src) {
    return Base64.getEncoder().encodeToString(src);
}

private static byte[] base64Decode(String src) {
    return Base64.getDecoder().decode(src);
}

Upvotes: 2

student guy
student guy

Reputation: 57

Ok here is what i have. I would love to look up a stored password but my teacher is not doing it that way in her solution video

public static String saltPassword(String password) throws NoSuchAlgorithmException{
     String salt = getSalt();
     return hashPassword(password + salt);
 }
 public static String getSalt(){
     Random r = new SecureRandom();
     byte[] saltBytes = new byte[32];
     r.nextBytes(saltBytes);
     return Base64.getEncoder().encodeToString(saltBytes);
 }
 public static String generatePassword(){
        String charSet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_-+!@#$%";
        String password = "";
        int start = 0;
        int stop = 0;
        int minLength = 8;

        for (int i = 0; i <= minLength; i++) {
                // get a random character from the chars string
                start = getRandomNumber(charSet.length());
                stop = start + 1;
                password += charSet.substring(start, stop);
        }        
        return password;
    }
    private static int getRandomNumber(int maxValue){
        double randomNumber;
        randomNumber = Math.floor(Math.random() * maxValue);

        return (int)randomNumber;
    }
    public static String hashPassword(String password)throws NoSuchAlgorithmException{
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        md.update(password.getBytes());
        byte[] mdArray = md.digest();
        StringBuilder sb = new StringBuilder(mdArray.length * 2);
        for (byte b : mdArray){
            int v = b & 0xff;
            if(v < 16){
                sb.append('0');
            }
            sb.append(Integer.toHexString(v));
        }
        return sb.toString();   
    }

Then to create it I am going to go

    String newPassword = PasswordUtil.generatePassword();
    String hashedPassword = "";
    String saltedPassword = "";

try{
            hashedPassword = PasswordUtil.hashPassword(newPassword);
        }
        catch(NoSuchAlgorithmException e){
            System.out.println();
        }
        try{
            saltedPassword = PasswordUtil.saltPassword(hashedPassword);
        }
        catch(NoSuchAlgorithmException e) {
            System.out.println();
        }

What happens next?

this is the hashed password:

50f99d2a635cc9bac7e001506789b55a7c603d93c89d362cc5d95ab257fc2666

and this is the hash with the salt

e954fbc2309cc359cd603effb6d0644947a3253110ad6c3b2416dd49168331a3

Upvotes: 0

Related Questions