aspose file tools*
The moose likes Beginning Java and the fly likes Using a one way hash for Password encryption Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Beginning Java
Bookmark "Using a one way hash for Password encryption" Watch "Using a one way hash for Password encryption" New topic
Author

Using a one way hash for Password encryption

terry Kiernan
Ranch Hand

Joined: Aug 23, 2008
Posts: 31
Hi ,
I am using the Digest "SHA-1" for encrytion however I need to decrypt this again to logon to machine. How can I decrypt the one way hash - Is there a simple method to do this in Java.

Please help ..
marc weber
Sheriff

Joined: Aug 31, 2004
Posts: 11343

"terry," please check your private messages by clicking on My Private Messages. Thanks!


"We're kind of on the level of crossword puzzle writers... And no one ever goes to them and gives them an award." ~Joe Strummer
sscce.org
fred rosenberger
lowercase baba
Bartender

Joined: Oct 02, 2003
Posts: 11498
    
  16

You can't. If it truly is a one-way encryption (and I don't know if the SHA-1 is or not), the whole POINT is that you can't reverse it. that's what "one-way" means. a simple example is simply taking the sine of a value. If i said "the sine of the number is 0.91354545764260089550212757198532", you have no way to know if my original number was 114, 474, 834, or 465,456,354 (or any of the other infinite possibilities).

Note: one of my friends suggested that you could also hack into the NSA, and hunt around and see if they have a 'back-door' way to decrypt this, but I'd personally recommend against that.
[ August 25, 2008: Message edited by: fred rosenberger ]

There are only two hard things in computer science: cache invalidation, naming things, and off-by-one errors
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19784
    
  20

If you need to reverse it you'll need a two-way encryption algorithm like Blowfish.


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
terry Kiernan
Ranch Hand

Joined: Aug 23, 2008
Posts: 31
Is there any java code snippet examples of this method for both encryption and decryption ..

Thanks any help much appreciated ..
Bill Cruise
Ranch Hand

Joined: Jun 01, 2007
Posts: 148
Terry, I'm not sure if this will help, but here's how encrypted passwords are typically handled.

1. Store the user's login name and encrypted password.
2. When the user logs in, collect their username and password.
3. Encrypt the supplied password with the same algorithm as in step #1.
4. Compare the two encrypted strings to see if they are the same.

This is greatly simplified, and of course I'm leaving out salting your password, which you should do, but this should give you the basic idea.
Jelle Klap
Bartender

Joined: Mar 10, 2008
Posts: 1836
    
    7

Why would you need to be able to decrypt a user's password?
More commonly a cryptographic hash function, like SHA-1, would be used to create a digest of the users plain text password combined with some sort of salt. The salt and the resulting digest are stored in the database and used to verify user supplied security credentials.

You were on the right track using SHA-1, but maybe you should read up on related security principles.

Edit: I'm such a slowpoke

As long as I'm editting anyway.
It's entirely possible to perform a reverse lookup for a particular digest and recover a plaintext value that would likely equal the original plaintext password value.
[ August 26, 2008: Message edited by: Jelle Klap ]

Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Originally posted by terry:
I am using the Digest "SHA-1" for encrytion however I need to decrypt this again to logon to machine. How can I decrypt the one way hash - Is there a simple method to do this in Java.


A SHA or a MD5 is a one-way hash, not a cipher. You can never go from the hash value to the clear text.

This is good. It helps security.

If the user forgets the password, you say "we can not tell you it, for security reasons, but we can reset it for you and it will be valid for one use"

You never, ever, want be able to see the clear text of the password. You don't want your tech support folks do be able to.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Originally posted by Rob Prime:
If you need to reverse it you'll need a two-way encryption algorithm like Blowfish.


True, but he has no need to reverse it. Just use it one-way.
terry Kiernan
Ranch Hand

Joined: Aug 23, 2008
Posts: 31
I need to reverse it - this is an internal app where by the user remotely logins via another application so in this case e.g telnet hostname user password , so in this case i need to read back the encrypted password from the file to login into the machine as that user .
Ernest Friedman-Hill
author and iconoclast
Marshal

Joined: Jul 08, 2003
Posts: 24187
    
  34

Then you need to use something else to store the encrypted passwords, as was previously stated.


[Jess in Action][AskingGoodQuestions]
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 19064
    
  40

On the rare cases where the passwords needs to be reversed, I generally use a convoluted technique of taking an "internal" password, generating a key using a hash, and then using the key to decrypt, with lots and lots of "munging".

Regardless, there is nothing stopping someone from decompiling the application to see how it is done. Unfortunately, it is probably the best that you can do -- this is why, if it is possible to use a one-way hash, you always take that option.

Henry


Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)
terry Kiernan
Ranch Hand

Joined: Aug 23, 2008
Posts: 31
Hi Henry ,
How can I decrypt the one way hash password.

What i have is my hostname password stored in a file and when my application runs it takes this password from the file to login into the host.
So what i want to and have done is encrypt this password in the file by using one way hash. Now i need to login into the host but of course using the encrpted password string and username from the file i won't be able to logon.
So I need to be able to decrypt it - How can I do this ???

Your help much appreciated !
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19784
    
  20

You can't. That's why it's called one way.

Like I said before, you need a two way algorithm.
fred rosenberger
lowercase baba
Bartender

Joined: Oct 02, 2003
Posts: 11498
    
  16

The whole POINT of a ONE-WAY encryption is that it CANNOT BE UNDONE. You simply CAN'T do what you are asking to do. If they could be un-encrypted, it really wouldn't be a one-way, would it?

the reason for this is simple. what if someone stole a copy of your encrypted password file? you don't want them to be able to decrypt it, do you? NO!!! because that is not really secure.

if you have encrypted your only copy of the password using a one-way hash and didn't save the original, it is effectively gone forever. You need to get the administrator to reset your password, and DON'T encrypt it again with a one-way algorithm.
terry Kiernan
Ranch Hand

Joined: Aug 23, 2008
Posts: 31
What approach would you take if you wanted your password encrypted in the file and use it within the Java app
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 19064
    
  40

Originally posted by terry Kiernan:
What approach would you take if you wanted your password encrypted in the file and use it within the Java app


If the password needs to be decrypted, most likely because it is needed to sign onto something else, then I already stated how... see my August 27 post.

Unfortunately, this is not secure. It is technically possible to decompile the Java code, and figure out all of the munging that is going on. So, if you are going to do this, you have to make sure that the file is protected. It has to be placed in a location that only the Java program and trusted parties can see -- and you also have to make sure that noone has permission to change the Java program.

Henry
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 19064
    
  40

Oops, didn't completely answer the question. The last time that I had to do this, I used AES (along with some obfuscation and base64 encoding). In the past, I have also used DES and triple DES.

Henry
terry Kiernan
Ranch Hand

Joined: Aug 23, 2008
Posts: 31
Henry ,

Would you have some sample code to illustrate what you did when you encrypted and stored it off to a file/db using java ?

Thanking you
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 19064
    
  40

Originally posted by terry Kiernan:
Henry ,

Would you have some sample code to illustrate what you did when you encrypted and stored it off to a file/db using java ?

Thanking you


Of the encrypt / decrypt? Hmmmm.... sure. Of the obfuscation? No...

Here you go... with all the obfuscation stuff removed.



Henry
terry Kiernan
Ranch Hand

Joined: Aug 23, 2008
Posts: 31
Thanks Henry ,

Ok , What package is the the Cipher methods in.?

So all i need to do is call the encrypy method whn the user enters it's password and when using the password call the decrypt method then .
Jelle Klap
Bartender

Joined: Mar 10, 2008
Posts: 1836
    
    7

That would be javax.crypto.
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 19064
    
  40

Oops, I didn't completely remove all the "munging". Please ignore this method call....



This is part of the code that does the base64 decoding -- which I removed on the encoding side.

Henry
terry Kiernan
Ranch Hand

Joined: Aug 23, 2008
Posts: 31
This is what i have now ...

encoding
String CIPHER_TYPE = "DES/ECB/PKCS5Padding";
Cipher cipher = Cipher.getInstance(CIPHER_TYPE);
byte[] outputBytes = cipher.doFinal( password.getBytes()
);

BASE64Encoder encoder = new BASE64Encoder();
String encrypted_base64 = encoder.encode(outputBytes);

decoding
BASE64Decoder decoder = new BASE64Decoder();
byte encrypted[] = decoder.decodeBuffer(password);

Cipher cipher = Cipher.getInstance(CIPHER_TYPE);
byte[] outputBytes = cipher.doFinal( encrypted );
String decoded_pwd = new String( outputBytes );
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19784
    
  20

You forgot to initialize your Cipher. That's what Henry did with desCipher.init(Cipher.ENCRYPT_MODE, secretKey) and desCipher.init(Cipher.DECRYPT_MODE, secretKey)
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Using a one way hash for Password encryption