You can't. If it truly is a one-way encryption (and I don't know if the SHA-1 is or not), the whole POINT is that you can't reverse it. that's what "one-way" means. a simple example is simply taking the sine of a value. If i said "the sine of the number is 0.91354545764260089550212757198532", you have no way to know if my original number was 114, 474, 834, or 465,456,354 (or any of the other infinite possibilities).
Note: one of my friends suggested that you could also hack into the NSA, and hunt around and see if they have a 'back-door' way to decrypt this, but I'd personally recommend against that. [ August 25, 2008: Message edited by: fred rosenberger ]
There are only two hard things in computer science: cache invalidation, naming things, and off-by-one errors
Terry, I'm not sure if this will help, but here's how encrypted passwords are typically handled.
1. Store the user's login name and encrypted password. 2. When the user logs in, collect their username and password. 3. Encrypt the supplied password with the same algorithm as in step #1. 4. Compare the two encrypted strings to see if they are the same.
This is greatly simplified, and of course I'm leaving out salting your password, which you should do, but this should give you the basic idea.
Why would you need to be able to decrypt a user's password? More commonly a cryptographic hash function, like SHA-1, would be used to create a digest of the users plain text password combined with some sort of salt. The salt and the resulting digest are stored in the database and used to verify user supplied security credentials.
You were on the right track using SHA-1, but maybe you should read up on related security principles.
Edit: I'm such a slowpoke
As long as I'm editting anyway. It's entirely possible to perform a reverse lookup for a particular digest and recover a plaintext value that would likely equal the original plaintext password value. [ August 26, 2008: Message edited by: Jelle Klap ]
Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
Originally posted by terry: I am using the Digest "SHA-1" for encrytion however I need to decrypt this again to logon to machine. How can I decrypt the one way hash - Is there a simple method to do this in Java.
A SHA or a MD5 is a one-way hash, not a cipher. You can never go from the hash value to the clear text.
This is good. It helps security.
If the user forgets the password, you say "we can not tell you it, for security reasons, but we can reset it for you and it will be valid for one use"
You never, ever, want be able to see the clear text of the password. You don't want your tech support folks do be able to.
Originally posted by Rob Prime: If you need to reverse it you'll need a two-way encryption algorithm like Blowfish.
True, but he has no need to reverse it. Just use it one-way.
Joined: Aug 23, 2008
I need to reverse it - this is an internal app where by the user remotely logins via another application so in this case e.g telnet hostname user password , so in this case i need to read back the encrypted password from the file to login into the machine as that user .
On the rare cases where the passwords needs to be reversed, I generally use a convoluted technique of taking an "internal" password, generating a key using a hash, and then using the key to decrypt, with lots and lots of "munging".
Regardless, there is nothing stopping someone from decompiling the application to see how it is done. Unfortunately, it is probably the best that you can do -- this is why, if it is possible to use a one-way hash, you always take that option.
Hi Henry , How can I decrypt the one way hash password.
What i have is my hostname password stored in a file and when my application runs it takes this password from the file to login into the host. So what i want to and have done is encrypt this password in the file by using one way hash. Now i need to login into the host but of course using the encrpted password string and username from the file i won't be able to logon. So I need to be able to decrypt it - How can I do this ???
The whole POINT of a ONE-WAY encryption is that it CANNOT BE UNDONE. You simply CAN'T do what you are asking to do. If they could be un-encrypted, it really wouldn't be a one-way, would it?
the reason for this is simple. what if someone stole a copy of your encrypted password file? you don't want them to be able to decrypt it, do you? NO!!! because that is not really secure.
if you have encrypted your only copy of the password using a one-way hash and didn't save the original, it is effectively gone forever. You need to get the administrator to reset your password, and DON'T encrypt it again with a one-way algorithm.
Joined: Aug 23, 2008
What approach would you take if you wanted your password encrypted in the file and use it within the Java app
Originally posted by terry Kiernan: What approach would you take if you wanted your password encrypted in the file and use it within the Java app
If the password needs to be decrypted, most likely because it is needed to sign onto something else, then I already stated how... see my August 27 post.
Unfortunately, this is not secure. It is technically possible to decompile the Java code, and figure out all of the munging that is going on. So, if you are going to do this, you have to make sure that the file is protected. It has to be placed in a location that only the Java program and trusted parties can see -- and you also have to make sure that noone has permission to change the Java program.