Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Using a one way hash for Password encryption

 
terry Kiernan
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi ,
I am using the Digest "SHA-1" for encrytion however I need to decrypt this again to logon to machine. How can I decrypt the one way hash - Is there a simple method to do this in Java.

Please help ..
 
marc weber
Sheriff
Posts: 11343
Java Mac Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"terry," please check your private messages by clicking on My Private Messages. Thanks!
 
fred rosenberger
lowercase baba
Bartender
Pie
Posts: 12097
30
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can't. If it truly is a one-way encryption (and I don't know if the SHA-1 is or not), the whole POINT is that you can't reverse it. that's what "one-way" means. a simple example is simply taking the sine of a value. If i said "the sine of the number is 0.91354545764260089550212757198532", you have no way to know if my original number was 114, 474, 834, or 465,456,354 (or any of the other infinite possibilities).

Note: one of my friends suggested that you could also hack into the NSA, and hunt around and see if they have a 'back-door' way to decrypt this, but I'd personally recommend against that.
[ August 25, 2008: Message edited by: fred rosenberger ]
 
Rob Spoor
Sheriff
Pie
Posts: 20510
54
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you need to reverse it you'll need a two-way encryption algorithm like Blowfish.
 
terry Kiernan
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there any java code snippet examples of this method for both encryption and decryption ..

Thanks any help much appreciated ..
 
Bill Cruise
Ranch Hand
Posts: 148
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Terry, I'm not sure if this will help, but here's how encrypted passwords are typically handled.

1. Store the user's login name and encrypted password.
2. When the user logs in, collect their username and password.
3. Encrypt the supplied password with the same algorithm as in step #1.
4. Compare the two encrypted strings to see if they are the same.

This is greatly simplified, and of course I'm leaving out salting your password, which you should do, but this should give you the basic idea.
 
Jelle Klap
Bartender
Posts: 1951
7
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why would you need to be able to decrypt a user's password?
More commonly a cryptographic hash function, like SHA-1, would be used to create a digest of the users plain text password combined with some sort of salt. The salt and the resulting digest are stored in the database and used to verify user supplied security credentials.

You were on the right track using SHA-1, but maybe you should read up on related security principles.

Edit: I'm such a slowpoke

As long as I'm editting anyway.
It's entirely possible to perform a reverse lookup for a particular digest and recover a plaintext value that would likely equal the original plaintext password value.
[ August 26, 2008: Message edited by: Jelle Klap ]
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by terry:
I am using the Digest "SHA-1" for encrytion however I need to decrypt this again to logon to machine. How can I decrypt the one way hash - Is there a simple method to do this in Java.


A SHA or a MD5 is a one-way hash, not a cipher. You can never go from the hash value to the clear text.

This is good. It helps security.

If the user forgets the password, you say "we can not tell you it, for security reasons, but we can reset it for you and it will be valid for one use"

You never, ever, want be able to see the clear text of the password. You don't want your tech support folks do be able to.
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Rob Prime:
If you need to reverse it you'll need a two-way encryption algorithm like Blowfish.


True, but he has no need to reverse it. Just use it one-way.
 
terry Kiernan
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I need to reverse it - this is an internal app where by the user remotely logins via another application so in this case e.g telnet hostname user password , so in this case i need to read back the encrypted password from the file to login into the machine as that user .
 
Ernest Friedman-Hill
author and iconoclast
Marshal
Pie
Posts: 24208
35
Chrome Eclipse IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then you need to use something else to store the encrypted passwords, as was previously stated.
 
Henry Wong
author
Marshal
Pie
Posts: 20989
76
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
On the rare cases where the passwords needs to be reversed, I generally use a convoluted technique of taking an "internal" password, generating a key using a hash, and then using the key to decrypt, with lots and lots of "munging".

Regardless, there is nothing stopping someone from decompiling the application to see how it is done. Unfortunately, it is probably the best that you can do -- this is why, if it is possible to use a one-way hash, you always take that option.

Henry
 
terry Kiernan
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Henry ,
How can I decrypt the one way hash password.

What i have is my hostname password stored in a file and when my application runs it takes this password from the file to login into the host.
So what i want to and have done is encrypt this password in the file by using one way hash. Now i need to login into the host but of course using the encrpted password string and username from the file i won't be able to logon.
So I need to be able to decrypt it - How can I do this ???

Your help much appreciated !
 
Rob Spoor
Sheriff
Pie
Posts: 20510
54
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can't. That's why it's called one way.

Like I said before, you need a two way algorithm.
 
fred rosenberger
lowercase baba
Bartender
Pie
Posts: 12097
30
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The whole POINT of a ONE-WAY encryption is that it CANNOT BE UNDONE. You simply CAN'T do what you are asking to do. If they could be un-encrypted, it really wouldn't be a one-way, would it?

the reason for this is simple. what if someone stole a copy of your encrypted password file? you don't want them to be able to decrypt it, do you? NO!!! because that is not really secure.

if you have encrypted your only copy of the password using a one-way hash and didn't save the original, it is effectively gone forever. You need to get the administrator to reset your password, and DON'T encrypt it again with a one-way algorithm.
 
terry Kiernan
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What approach would you take if you wanted your password encrypted in the file and use it within the Java app
 
Henry Wong
author
Marshal
Pie
Posts: 20989
76
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by terry Kiernan:
What approach would you take if you wanted your password encrypted in the file and use it within the Java app


If the password needs to be decrypted, most likely because it is needed to sign onto something else, then I already stated how... see my August 27 post.

Unfortunately, this is not secure. It is technically possible to decompile the Java code, and figure out all of the munging that is going on. So, if you are going to do this, you have to make sure that the file is protected. It has to be placed in a location that only the Java program and trusted parties can see -- and you also have to make sure that noone has permission to change the Java program.

Henry
 
Henry Wong
author
Marshal
Pie
Posts: 20989
76
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Oops, didn't completely answer the question. The last time that I had to do this, I used AES (along with some obfuscation and base64 encoding). In the past, I have also used DES and triple DES.

Henry
 
terry Kiernan
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Henry ,

Would you have some sample code to illustrate what you did when you encrypted and stored it off to a file/db using java ?

Thanking you
 
Henry Wong
author
Marshal
Pie
Posts: 20989
76
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by terry Kiernan:
Henry ,

Would you have some sample code to illustrate what you did when you encrypted and stored it off to a file/db using java ?

Thanking you


Of the encrypt / decrypt? Hmmmm.... sure. Of the obfuscation? No...

Here you go... with all the obfuscation stuff removed.



Henry
 
terry Kiernan
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Henry ,

Ok , What package is the the Cipher methods in.?

So all i need to do is call the encrypy method whn the user enters it's password and when using the password call the decrypt method then .
 
Jelle Klap
Bartender
Posts: 1951
7
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That would be javax.crypto.
 
Henry Wong
author
Marshal
Pie
Posts: 20989
76
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Oops, I didn't completely remove all the "munging". Please ignore this method call....



This is part of the code that does the base64 decoding -- which I removed on the encoding side.

Henry
 
terry Kiernan
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is what i have now ...

encoding
String CIPHER_TYPE = "DES/ECB/PKCS5Padding";
Cipher cipher = Cipher.getInstance(CIPHER_TYPE);
byte[] outputBytes = cipher.doFinal( password.getBytes()
);

BASE64Encoder encoder = new BASE64Encoder();
String encrypted_base64 = encoder.encode(outputBytes);

decoding
BASE64Decoder decoder = new BASE64Decoder();
byte encrypted[] = decoder.decodeBuffer(password);

Cipher cipher = Cipher.getInstance(CIPHER_TYPE);
byte[] outputBytes = cipher.doFinal( encrypted );
String decoded_pwd = new String( outputBytes );
 
Rob Spoor
Sheriff
Pie
Posts: 20510
54
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You forgot to initialize your Cipher. That's what Henry did with desCipher.init(Cipher.ENCRYPT_MODE, secretKey) and desCipher.init(Cipher.DECRYPT_MODE, secretKey)
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic