Forum:

Beginning Java

Using a one way hash for Password encryption

Ranch Hand

Posts: 31

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Hi ,
I am using the Digest "SHA-1" for encrytion however I need to decrypt this again to logon to machine. How can I decrypt the one way hash - Is there a simple method to do this in Java.

Please help ..

marc weber

Sheriff

Posts: 11343

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

"terry," please check your private messages by clicking on My Private Messages. Thanks!

"We're kind of on the level of crossword puzzle writers... And no one ever goes to them and gives them an award." ~Joe Strummer
sscce.org

fred rosenberger

lowercase baba

Posts: 13086

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

You can't. If it truly is a one-way encryption (and I don't know if the SHA-1 is or not), the whole POINT is that you can't reverse it. that's what "one-way" means. a simple example is simply taking the sine of a value. If i said "the sine of the number is 0.91354545764260089550212757198532", you have no way to know if my original number was 114, 474, 834, or 465,456,354 (or any of the other infinite possibilities).

Note: one of my friends suggested that you could also hack into the NSA, and hunt around and see if they have a 'back-door' way to decrypt this, but I'd personally recommend against that.
[ August 25, 2008: Message edited by: fred rosenberger ]

There are only two hard things in computer science: cache invalidation, naming things, and off-by-one errors

Rob Spoor

Sheriff

Posts: 22725

129

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

If you need to reverse it you'll need a two-way encryption algorithm like Blowfish.

SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6 - OCEJPAD 6
How To Ask Questions How To Answer Questions

terry Kiernan

Ranch Hand

Posts: 31

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Is there any java code snippet examples of this method for both encryption and decryption ..

Thanks any help much appreciated ..

Bill Cruise

Ranch Hand

Posts: 148

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Terry, I'm not sure if this will help, but here's how encrypted passwords are typically handled.

1. Store the user's login name and encrypted password.
2. When the user logs in, collect their username and password.
3. Encrypt the supplied password with the same algorithm as in step #1.
4. Compare the two encrypted strings to see if they are the same.

This is greatly simplified, and of course I'm leaving out salting your password, which you should do, but this should give you the basic idea.

Jelle Klap

Bartender

Posts: 1952

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Why would you need to be able to decrypt a user's password?
More commonly a cryptographic hash function, like SHA-1, would be used to create a digest of the users plain text password combined with some sort of salt. The salt and the resulting digest are stored in the database and used to verify user supplied security credentials.

You were on the right track using SHA-1, but maybe you should read up on related security principles.

Edit: I'm such a slowpoke

As long as I'm editting anyway.
It's entirely possible to perform a reverse lookup for a particular digest and recover a plaintext value that would likely equal the original plaintext password value.
[ August 26, 2008: Message edited by: Jelle Klap ]

Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.

Pat Farrell

Rancher

Posts: 4803

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Originally posted by terry:
I am using the Digest "SHA-1" for encrytion however I need to decrypt this again to logon to machine. How can I decrypt the one way hash - Is there a simple method to do this in Java.

A SHA or a MD5 is a one-way hash, not a cipher. You can never go from the hash value to the clear text.

This is good. It helps security.

If the user forgets the password, you say "we can not tell you it, for security reasons, but we can reset it for you and it will be valid for one use"

You never, ever, want be able to see the clear text of the password. You don't want your tech support folks do be able to.

Pat Farrell

Rancher

Posts: 4803

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Originally posted by Rob Prime:
If you need to reverse it you'll need a two-way encryption algorithm like Blowfish.

True, but he has no need to reverse it. Just use it one-way.

terry Kiernan

Ranch Hand

Posts: 31

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

I need to reverse it - this is an internal app where by the user remotely logins via another application so in this case e.g telnet hostname user password , so in this case i need to read back the encrypted password from the file to login into the machine as that user .

Ernest Friedman-Hill

author and iconoclast

Posts: 24204

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Then you need to use something else to store the encrypted passwords, as was previously stated.

[Jess in Action][AskingGoodQuestions]

Henry Wong

author

Posts: 23936

142

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

On the rare cases where the passwords needs to be reversed, I generally use a convoluted technique of taking an "internal" password, generating a key using a hash, and then using the key to decrypt, with lots and lots of "munging".

Regardless, there is nothing stopping someone from decompiling the application to see how it is done. Unfortunately, it is probably the best that you can do -- this is why, if it is possible to use a one-way hash, you always take that option.

Henry

Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)

terry Kiernan

Ranch Hand

Posts: 31

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Hi Henry ,
How can I decrypt the one way hash password.

What i have is my hostname password stored in a file and when my application runs it takes this password from the file to login into the host.
So what i want to and have done is encrypt this password in the file by using one way hash. Now i need to login into the host but of course using the encrpted password string and username from the file i won't be able to logon.
So I need to be able to decrypt it - How can I do this ???

Your help much appreciated !

Rob Spoor

Sheriff

Posts: 22725

129

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

You can't. That's why it's called one way.

Like I said before, you need a two way algorithm.

SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6 - OCEJPAD 6
How To Ask Questions How To Answer Questions

fred rosenberger

lowercase baba

Posts: 13086

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

The whole POINT of a ONE-WAY encryption is that it CANNOT BE UNDONE. You simply CAN'T do what you are asking to do. If they could be un-encrypted, it really wouldn't be a one-way, would it?

the reason for this is simple. what if someone stole a copy of your encrypted password file? you don't want them to be able to decrypt it, do you? NO!!! because that is not really secure.

if you have encrypted your only copy of the password using a one-way hash and didn't save the original, it is effectively gone forever. You need to get the administrator to reset your password, and DON'T encrypt it again with a one-way algorithm.

There are only two hard things in computer science: cache invalidation, naming things, and off-by-one errors

terry Kiernan

Ranch Hand

Posts: 31

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

What approach would you take if you wanted your password encrypted in the file and use it within the Java app

Henry Wong

author

Posts: 23936

142

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Originally posted by terry Kiernan:
What approach would you take if you wanted your password encrypted in the file and use it within the Java app

If the password needs to be decrypted, most likely because it is needed to sign onto something else, then I already stated how... see my August 27 post.

Unfortunately, this is not secure. It is technically possible to decompile the Java code, and figure out all of the munging that is going on. So, if you are going to do this, you have to make sure that the file is protected. It has to be placed in a location that only the Java program and trusted parties can see -- and you also have to make sure that noone has permission to change the Java program.

Henry

Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)

Henry Wong

author

Posts: 23936

142

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Oops, didn't completely answer the question. The last time that I had to do this, I used AES (along with some obfuscation and base64 encoding). In the past, I have also used DES and triple DES.

Henry

Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)

terry Kiernan

Ranch Hand

Posts: 31

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Henry ,

Would you have some sample code to illustrate what you did when you encrypted and stored it off to a file/db using java ?

Thanking you

Henry Wong

author

Posts: 23936

142

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Originally posted by terry Kiernan:
Henry ,

Would you have some sample code to illustrate what you did when you encrypted and stored it off to a file/db using java ?

Thanking you

Of the encrypt / decrypt? Hmmmm.... sure. Of the obfuscation? No...

Here you go... with all the obfuscation stuff removed.

private static String aesEncoder(String password) {
    SecretKeySpec secretKey = <key technique removed>;
    try {
        Cipher desCipher = Cipher.getInstance("AES");
        desCipher.init(Cipher.ENCRYPT_MODE, secretKey);
 
        byte[] cleartext = password.getBytes();
        byte[] ciphertext = desCipher.doFinal(cleartext);

String codedpassword = <munging removed>;
        return codedpassword;
    } catch (Exception ex) {
        ex.printStackTrace();
        return password;
    }
}
 
private static String aesDecoder(String codedpassword) {
    SecretKeySpec secretKey = <key technique removed>;
    try {
        Cipher desCipher = Cipher.getInstance("AES");
        desCipher.init(Cipher.DECRYPT_MODE, secretKey);
 
        codedpassword = <munging removed>;
        byte[] ciphertext = decoder.decodeBuffer(codedpassword);
 
        byte[] cleartext = desCipher.doFinal(ciphertext);
        String password = new String(cleartext);
        return password;
    } catch (Exception ex) {
        ex.printStackTrace();
        return codedpassword;
    }
}

Henry

Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)

terry Kiernan

Ranch Hand

Posts: 31

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Thanks Henry ,

Ok , What package is the the Cipher methods in.?

So all i need to do is call the encrypy method whn the user enters it's password and when using the password call the decrypt method then .

Jelle Klap

Bartender

Posts: 1952

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

That would be javax.crypto.

Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.

Henry Wong

author

Posts: 23936

142

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Oops, I didn't completely remove all the "munging". Please ignore this method call....

This is part of the code that does the base64 decoding -- which I removed on the encoding side.

Henry

Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)

terry Kiernan

Ranch Hand

Posts: 31

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

This is what i have now ...

encoding
String CIPHER_TYPE = "DES/ECB/PKCS5Padding";
Cipher cipher = Cipher.getInstance(CIPHER_TYPE);
byte[] outputBytes = cipher.doFinal( password.getBytes()
);

BASE64Encoder encoder = new BASE64Encoder();
String encrypted_base64 = encoder.encode(outputBytes);

decoding
BASE64Decoder decoder = new BASE64Decoder();
byte encrypted[] = decoder.decodeBuffer(password);

Cipher cipher = Cipher.getInstance(CIPHER_TYPE);
byte[] outputBytes = cipher.doFinal( encrypted );
String decoded_pwd = new String( outputBytes );

Rob Spoor

Sheriff

Posts: 22725

129

I like...

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

You forgot to initialize your Cipher. That's what Henry did with desCipher.init(Cipher.ENCRYPT_MODE, secretKey) and desCipher.init(Cipher.DECRYPT_MODE, secretKey)

SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6 - OCEJPAD 6
How To Ask Questions How To Answer Questions

brevity is the soul of wit - shakepeare. Tiny ad:

The Low Tech Laboratory Movie Kickstarter is LIVE NOW!

https://www.kickstarter.com/projects/paulwheaton/low-tech