GeeCON Prague 2014*
The moose likes Other JSE/JEE APIs and the fly likes MD5 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Other JSE/JEE APIs
Bookmark "MD5" Watch "MD5" New topic
Author

MD5

Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Hello,

My code is:



How can I convert securedHash String back in original format?

Thanks & best regards
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
No. MD5 is a hash or digest - it's a one-way street, with no way to get the original text back.

What you want is a cipher like AES or Triple-DES; read up on JCE, which is the standard Java API for doing encryption/decryption. The SecurityFaq has some good links about that.
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Lester Burnham wrote:No. MD5 is a hash or digest - it's a one-way street, with no way to get the original text back.

What you want is a cipher like AES or Triple-DES; read up on JCE, which is the standard Java API for doing encryption/decryption. The SecurityFaq has some good links about that.


Can we compare?

I am working on ePayment gateway where they said in their manual that:
Run an encryption mechanism using the secure hash key shared with the merchant to compare it with the value of the field vpc_SecureHash passed. If this test is unsuccessful then the authentication fails and the user is redirected back to the merchant with a corresponding error code.

Is there any example that can help me to achieve this goal?

Best regards
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
Yes. You would store the original password in hashed form, and when someone logs in, you would hash the password they entered, and then you can compare the two hashes (they must be identical).
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Lester Burnham wrote:Yes. You would store the original password in hashed form, and when someone logs in, you would hash the password they entered, and then you can compare the two hashes (they must be identical).


Hello,

Thanks for your reply.


OUTPUT:
vpc_SecureHash=5DB0F8628C4801B24110FD52056WEJY5
Converted to=1f8a39f895956b6ebf5ae9268f27cd27
Converted to Original Hash=[B@136a1a1

Please check it again as to how can I convert back the hash (md5)

Best regards
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
What do you mean by "convert back"? As mentioned before, you can't get back the original text after it has been digested.

Also -and this is true not just in the context of encryption- it's almost always a bad idea to use "new String(byte[])" and "String.getBytes()" - in this day and age, you need to consider encodings. Those two code snippets use the platform default encoding, which is generally not what you want.
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Lester Burnham wrote:What do you mean by "convert back"? As mentioned before, you can't get back the original text after it has been digested.

Also -and this is true not just in the context of encryption- it's almost always a bad idea to use "new String(byte[])" and "String.getBytes()" - in this day and age, you need to consider encodings. Those two code snippets use the platform default encoding, which is generally not what you want.


Hello,


Bank in Integration manual says:
======================
Run an encryption mechanism using the secure hash key shared with the merchant to compare it with the value of the field vpc_SecureHash passed. If this test is unsuccessful then the authentication fails and the user is redirected back to the merchant with a corresponding error code.


What they mean by comparing in Integration manual I am not understanding. Can you please explain

Thanks again for helping me

Best regards
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
Isn't that exactly what you posted a few posts back, and to which I responded in my subsequent post? What is getting compared is the hash/digest of the original password (which you have stored somewhere), and the hash/digest of the newly sent password.
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Lester Burnham wrote:Isn't that exactly what you posted a few posts back, and to which I responded in my subsequent post? What is getting compared is the hash/digest of the original password (which you have stored somewhere), and the hash/digest of the newly sent password.


Thanks for your replies

The problem is that I am not storing password in one db and not comparing the two hashes by getting the password from one machine. I am passing parameters from my server to the bank server and getting response from their machines.

The whole problem am facing to understand the Integration manual. Please ignore my whole previous posts as this was what I conceived but let me know some clue regarding:

Bank in Integration manual says:
======================
Run an encryption mechanism using the secure hash key shared with the merchant to compare it with the value of the field vpc_SecureHash passed. If this test is unsuccessful then the authentication fails and the user is redirected back to the merchant with a corresponding error code.


Best regards
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 18874
    
  40

Farakh khan wrote:
Thanks for your replies

The problem is that I am not storing password in one db and not comparing the two hashes by getting the password from one machine. I am passing parameters from my server to the bank server and getting response from their machines.

The whole problem am facing to understand the Integration manual. Please ignore my whole previous posts as this was what I conceived but let me know some clue regarding:

Bank in Integration manual says:
======================
Run an encryption mechanism using the secure hash key shared with the merchant to compare it with the value of the field vpc_SecureHash passed. If this test is unsuccessful then the authentication fails and the user is redirected back to the merchant with a corresponding error code.




Why are you ignoring all the previous posts? The responses explain how to do this. Just ignore your interpretation, and reread everyone else's response.

Henry


Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
I am really confused now as to how I complete this task. I read two times the whole messages but still unable to understand

Please help me

Best regards
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732



This is my exact problem that am trying to translate from PHP to Java
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Still hoping to have a favorable reply
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 18874
    
  40

Farakh khan wrote:I am really confused now as to how I complete this task. I read two times the whole messages but still unable to understand


It would help if you tell us what you don't understand. Or better yet, what you think you read, so that we can figure out where your logic went wrong... but I'll try again.



Basically, an md5 hash is one-way... you can take a password and take a md5 hash of it, but you cannot undo the hash.

So, let's say you need to set a password. You take the password, take the md5 hash of it, and store it (the hash) in the database.

Later, you challenge the user for the password, you now have the password, and you need to compare it to the password in the database. How do you do it? Well, since you can't undo the hash, you can't get the original password back, so hence, you can't compare if the two passwords are the same. What you can do is to take a md5 hash of the password, that you just from the password challenge, and compare if the two hashes are the same... because of the way md5 works, if the two hashes are the same, then chances are the two passwords were the same.

Henry
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Henry Wong wrote:
Farakh khan wrote:I am really confused now as to how I complete this task. I read two times the whole messages but still unable to understand


It would help if you tell us what you don't understand. Or better yet, what you think you read, so that we can figure out where your logic went wrong... but I'll try again.



Basically, an md5 hash is one-way... you can take a password and take a md5 hash of it, but you cannot undo the hash.

So, let's say you need to set a password. You take the password, take the md5 hash of it, and store it (the hash) in the database.

Later, you challenge the user for the password, you now have the password, and you need to compare it to the password in the database. How do you do it? Well, since you can't undo the hash, you can't get the original password back, so hence, you can't compare if the two passwords are the same. What you can do is to take a md5 hash of the password, that you just from the password challenge, and compare if the two hashes are the same... because of the way md5 works, if the two hashes are the same, then chances are the two passwords were the same.

Henry


Thanks Henry for detailed explanation.

I just want to clear my concepts. when the password parameter sent then md5 encrypted the password and displayed as hash in the user URL and when the server gets how it understand by decrypting.

My case is that user will pay to our website and my code from our dedicated server will get the request, encrypt as md5 hash and will forward the request by adding some parameters (merchantID, secret hash) to the Bank server.

My question is how the bank server will understand my md5 hash because bank server might used different hashing algorithm? This is my real problem that am facing in my view

Thanks again & best regards
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
My question is how the bank server will understand my md5 hash because bank server might used different hashing algorithm?

MD5 is a standardized algorithm. Whatever implementation the bank uses had better produce exactly the same results as whatever implementation you're using.
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Lester Burnham wrote:
My question is how the bank server will understand my md5 hash because bank server might used different hashing algorithm?

MD5 is a standardized algorithm. Whatever implementation the bank uses had better produce exactly the same results as whatever implementation you're using.

Thanks again. Appeciated!!


1) Why am getting vpc_SecureHash=null
2) It means my servlet is not sending the secure has key from doPost method

Where I am wrong??

Kindly help


Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
1) Why am getting vpc_SecureHash=null
2) It means my servlet is not sending the secure has key from doPost method

Use an HTTP monitor (or proxy) to see what -exactly- goes over the wire. That should point out quickly what is and is not being sent. Something like https://tcpmon.dev.java.net/ should work, or hook up a servlet filter to your servlet that records all parameters.
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Lester Burnham wrote:
1) Why am getting vpc_SecureHash=null
2) It means my servlet is not sending the secure has key from doPost method

Use an HTTP monitor (or proxy) to see what -exactly- goes over the wire. That should point out quickly what is and is not being sent. Something like https://tcpmon.dev.java.net/ should work, or hook up a servlet filter to your servlet that records all parameters.


that was the problem of writing parameter as there was no "?" between
"/servlet/Test?action=py"+
"vpc_SecureHash="+securedHash+

its working now but still I am getting Invlid URL error as response from bank server. What else I am missing?

Best regards
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
Sounds like a question for the tech support people of the bank.

Don't they provide working example code?
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Lester Burnham wrote:Sounds like a question for the tech support people of the bank.

Don't they provide working example code?

The provided the following php sample code:



This PHP code is working fine but don't know where I am going wrong to translate its part-1 i.e. sending parameters to the bank and getting back the response

best regards
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
That's where an HTTP monitor/proxy comes in handy - it can tell you the differences between what the PHP version sends and what the Java version sends.
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Lester Burnham wrote:That's where an HTTP monitor/proxy comes in handy - it can tell you the differences between what the PHP version sends and what the Java version sends.


You mean Java and PHP is generating different versions? Is this the reason?

Best regards

Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
You mean Java and PHP is generating different versions?

I don't know - that's for you to find out. But since the Java version doesn't work -and the PHP version presumably does-, it seems logical to assume that there must be some differences. Have you gotten the PHP version to run successfully? If not, then that would be a good place to start.
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Lester Burnham wrote:
You mean Java and PHP is generating different versions?

I don't know - that's for you to find out. But since the Java version doesn't work -and the PHP version presumably does-, it seems logical to assume that there must be some differences. Have you gotten the PHP version to run successfully? If not, then that would be a good place to start.


PHP version is working fine but my expertise belongs to Java. I don't know where am wrong to translate first authentication & sending parameters part.

Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
If this was my problem, I'd pursue the HTTP proxy/monitor approach.

By the way, please drop the annoying habit of always quoting entire posts - if you must quote, restrict it to the important points you're responding to.
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
I downloaded Charles TCP Monitor Connection but unable to run it. My tomcat is running on 127.0.0.1:7070
I am putting local port as 7070, Server name as 127.0.0.1 and Server port is 7070 but it says:
Received Exception: Address already in use: JVM_Bind
java.net.BindException: Address already in use: JVM_Bind
at java.net.PlainSocketImpl.socketBind(Native Method)
at java.net.PlainSocketImpl.bind(Unknown Source)
at java.net.ServerSocket.bind(Unknown Source)
at java.net.ServerSocket.<init>(Unknown Source)
at java.net.ServerSocket.<init>(Unknown Source)
at tcpmon.Tunnel.run(Unknown Source)


Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
The local port must be different than the server port. Are you quite clear on how such a monitor works?
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
I never used and this is my first time. I changed the local port to 80 but still same error
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
You need to use a port that isn't used by anything else, and it should be above 1024; how about 8180?

Next thing you need to do is to make your web app submit to 127.0.0.1:8180 instead of the bank URL, and you need to set the server name and port to the correct values of the bank URL.
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Lester Burnham wrote:
Next thing you need to do is to make your web app submit to 127.0.0.1:8180 instead of the bank URL, and you need to set the server name and port to the correct values of the bank URL.


I am really sorry to bother you again and again.

1) I made Local Port: 8180, Server Name: 127.0.0.1 and Server Port: 7070 (Tomcat is listening on 7070 port). There is no errors and now its listening on port 8180.

2) I also changed the form action to <form action=http:/127.0.0.1:8180/servlet/PaymentManager method=post> but its giving me
error HTTP Status 404 - /127.0.0.1:8180/servlet/PaymentManager


This seems really good tool but due to lack of my knowledge I need help. Honestly this is first time I heard its name and using it

Best regards

Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
That URL looks incorrect - pay particular attention to the details.
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Lester Burnham wrote:That URL looks incorrect - pay particular attention to the details.


I have downloaded Charless Web Debugging Proxy and got the following results:

Servlet Response:


PHP Response:


Thanks again & best regards
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
You (and we) already knew that the responses would be different. The interesting part is the requests.
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732



and my servlet:


thanks again
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
So: are those requests byte for byte identical?
Farakh khan
Ranch Hand

Joined: Mar 22, 2008
Posts: 732
Lester Burnham wrote:So: are those requests byte for byte identical?



In above case the both code generating same data

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Farakh khan wrote:I just want to clear my concepts. when the password parameter sent then md5 encrypted the password and displayed as hash in the user URL and when the server gets how it understand by decrypting.

First, you have to stop using the term encrypt here. An MD5 is a hash, its one way. Encryption is when you take something, encrypt it, and then you can decrypt it to get back the original. You can't do that with MD5 or any other similar hash (SHA1, SHA256, etc).

What is really happening is that you run the cleartext password through the MD5 to get a mess, and send the mess in. The server (when you registered) got the password and ran it through MD5 to get a mess, and stored the mess in the DB. Now, when you want to login or use other secured services, you send the MD5 result (the mess) and the server compares its stored value from the DB.

At no time does anyone try to decrypt the output of the MD5 to get the original password.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: MD5