This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Java in General and the fly likes [MessageDigest] encrypt a String Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "[MessageDigest] encrypt a String " Watch "[MessageDigest] encrypt a String " New topic
Author

[MessageDigest] encrypt a String

Alessandro Ilardo
Ranch Hand

Joined: Dec 23, 2005
Posts: 218
Hi there, I'm trying to encrypt a string and store it in a database field, but the String rapresentation of the byte[] doesn't seems to be fine.
19:57:29,052 DEBUG [Encryptor] [byteToString] the String: �Ǘ����Ϗ�Y

The code is:


trying to decode a woman mind....
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 18545
    
  40

... but the String rapresentation of the byte[] doesn't seems to be fine.


What do you consider fine? A message digest is binary. When you try to convert it to string, you will have lots of characters outside of the ASCII range -- hence, all those weird characters.

Henry


Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 18545
    
  40

And BTW, if you want to convert the binary byte array to a string with ASCII characters, you may want to run it through an encoder (either uuencode or base64).

Henry
Alessandro Ilardo
Ranch Hand

Joined: Dec 23, 2005
Posts: 218
Thanks for your reply. I'm don't really know java.security and I only need it to store a password in a database field, but the string must be encoded in an algorithm, then should be readable by containers in order to authentify the user login.

I usually let Mysql encode the string for me and even if it wasn't a good practice it was fine. Now,I want move on and let my app. do it. It doesn't look fine to me because as I said, Mysql stored a kind of string having alfa numeric chars and this one has ???.

Would you give some advice on what is best way to achieve what I want?
Does anybody know any good tutorial on the web?

Thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41137
    
  45
First of all, a digest is not an encryption. You will not be able to recover the cleartext of anything that has been digested. What you propose is still OK, just keep in mind that if you want to compare the digested password to second one, then you need to digest the second one, and then compare the digests. But that's standard procedure for storing passwords.

As Henry said, creating a String from the byte[] doesn't make sense. Just store it in the DB as it is (in a binary field, obviously). If for some reason you only have character fields, pass the byte[] through a base64-encoding, thus converting it to ASCII. The Jakarta Commons Codec library can do this.


Ping & DNS - my free Android networking tools app
Alessandro Ilardo
Ranch Hand

Joined: Dec 23, 2005
Posts: 218
hi,
thanks for your help. I added the jakarta-commons-codec and changed my method:

now I only have alfa numeric chars iceXArQRoLicz4+OAVkPDA== however, i'm not sure yet to have done the right thing, (I'd like to know your opnion on my code above).
Also, looking at the jakarta API I noticed methods such as md5Hex(byte[] data) which returns a a 32 character hex string. But I'd like to know what is the difference between.
Thanks again.
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 18545
    
  40

now I only have alfa numeric chars iceXArQRoLicz4+OAVkPDA== however, i'm not sure yet to have done the right thing, (I'd like to know your opnion on my code above).


One way to tell if something might be base64 encoded is the equals sign. There should be *no* equals signs in the middle of the string, as base64 doesn't use it as part of the code. The equals sign(s) (at the end) is used by base64 to determine the padding needed to decode it back to binary. In other words, it looks fine to me.


BTW, you will not be decoding it -- as it will not be possible to reverse the message digest. Instead, when you challenge a user for the password, you will digest and base64 encode that, so that you can match the result in the database.

Anyway, I would recommend testing it with a few passwords. Some things to note are:

- The same password should yield the same base64 message digest.
- Passwords that differ slightly, should have base64 message digest that differ drastically.
- The generated base64 message digest should be the same size, regardless of the size of the password.

If these are the characteristics, you probably done it correctly.

Henry
[ March 25, 2007: Message edited by: Henry Wong ]
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: [MessageDigest] encrypt a String
 
Similar Threads
javax.crypto.BadPaddingException: Given final block not properly padded
how to store message digest for string in mysql database and retrieve it
MD5
How to generate MD5 hash?
need decrypt method