I came to know about jBCrypt for hashing a password and storing in DB. But I didnt find any option to get back the actual value from the hashed value. Only BCrypt.checkpw(password, hashedPassword) is available which is returning boolean.http://www.mindrot.org/projects/jBCrypt/
How can I get the actual value out of hashed value.
If it is not possible in jBCrypt, is there any other way to encrypt and decrypt values in java? Thanks in advance...
Instead of using a hash function, you can use a symmetrical encryption algorithm, like offered by Spring Security, from their Crypto Module, more specifically their Encryptors class.
Here is a basic encryption/decryption example:
public static void main(String[] args) {
final String salt = UUID.randomUUID().toString().replace("-", "");
TextEncryptor textEncryptor = Encryptors.delux("my-super-secure-password-for-the-encryptor", salt);
final String passwordToBeEncrypted = "my-secure-password-to-be-encrypted";
final String encrypted = textEncryptor.encrypt(passwordToBeEncrypted);
textEncryptor.decrypt(encrypted);
System.out.println(passwordToBeEncrypted.equalsIgnoreCase(textEncryptor.decrypt(encrypted)));
}
Here, I am using the delux. As per their documentation:
Creates a text encryptor that uses "stronger" password-based
encryption.
Keep in mind that this is a very naive approach of encrypting and decrypting.
I would not recommend you copy paste this solution in your production code.
In order for this functionality to be production ready, you want the password provided to the Encryptors.delux() to be stored somewhere safe.
Also, you also want to use a different way of generating a salt for your password (potentially a salt for each new password encryption) and storing it for later where you want to decrypt your password.
Also, you might want to not keep the password in plain text (String), but keeping it as char[] or byte[], but this should give a start from where you can start.
There is also a different library that does the same, from Apache, Apache Commons Crypto, which does utilize the same algorithms as Spring Crypto.
Keep in mind, you are more safe in using a library instead of implementing yourself, since using package javax.crypto will require you to know what you are doing and not do more harm than needed.
Side note: You might bump into the situation that your jdk is limited to 128 bits. To benefit from the 256bits, make sure you add the Java Cryptography Extension
The definition of a hash function has resistance to preimages: given h(x), it should be impossible to recover x. A hash function being "reversible" is the exact opposite of that property. Therefore, you cannot reverse hash function hence it is not possible to get actual value from hashed value.You cannot get x from h(x),only thing you can do is for the coming new password y compute h(y) and see if it is equal to h(x).
Not just jBcrypt any secured hash function won't provide this functionality of recovery
But I didnt find any option to get back the actual value from the hashed value
Well - that's the primary purpose of the cryptographic hash functions.
is there any other way to encrypt and decrypt values in java? Thanks in advance...
There are a lot of examples to encrypt / decrypt values in Java, just search for it, even here on SO. You may as well have a look into my blog about encryption in Java - it's about basic low level crypto API.
I hope you don't mean to use encryption for user passwords - even remote possibity to make the passwords reversible would make your system potentially dangerous for leaks.
Related
I want to write one way to encrypt some data with a String key which is the best approach?
Encode and decode A string with Key. Suppose you have a string "ABCD" and a key "BC" then the output should be "BDDF".
Can some please guide me with this question?
Depends what level of security do you want
what you have described is a simple polyalphabetic substitution cipher and provides very little actual security (though it is a nice learning example, history lesson and good excercise trying to learn how to break it).
In that case you may have a finite group (an array) of characters and work with remainderless addition. Simple and working.
if you want to encrypt something more serious way, you may look for serious cryptography (in your case you need as well a pbkdf - password based key derivation function).
I have written a small tutorial you may have a look at
This question already has answers here:
Is it possible to decrypt MD5 hashes?
(24 answers)
Closed 5 years ago.
I am new in java and spring .I used Md5PasswordEncoder for password encoding.how can i decode it.
My encoding code is
Md5PasswordEncoder md5PasswordEncoder = new Md5PasswordEncoder();
String monthlycost = md5PasswordEncoder.encodePassword(
empDetails.getMonthlyCost(), null);
String monthlyGrossSalary = md5PasswordEncoder.encodePassword(
empDetails.getMonthlyGrossSalary(), null);
please help me for decoding it
It seems, that you are not new to Java, but to programming in general. MD5 is a hashing algorithm. A hashing algorithm is (or should be) a one-way algorithm.
Example:
If you want to create a Login system or so you can save the password as md5, when a user registrates. When he tries to login, you can create the hash value and compare it with the one you saved, when he registrated. That assumes, that you don't have the password itself in your database.
You can read more about that here.
The whole point of a hashing algorithm such as MD5 is that you cannot decode it. It is a one-way function not an encryption algorithm.
So ... basically ... you can't decode it.
The way that this class is supposed to be used is that you start with the user's password in the clear when you are registering it. Then you hash the password (with a salt) and store the hash in the database. Later on, when the user tries to login, he/she presents the password in the clear again. You hash it (with the same salt) and then compare the hash with the hash that you stored previously. If the hashes are the same, then the user has supplied the correct password.
In other words, this gives you to check a user's password without storing the user's actual password (in the clear or encrypted) in your database.
In your code, you are trying to use the encoder for a purpose that it wasn't designed for. It is simply not applicable. Neither is Md5.
Here's a Q&A with an example of how to do encryption and decryption in Java:
https://stackoverflow.com/a/22445878/139985
I'm sure that you can find other examples using alternative libraries if you want to search.
You cannot!
From Javadoc of Md5PasswordEncoder:
As MD5 is a one-way hash, the salt can contain any characters
It is one-way hash, so you cannot decode it.
I have a string that was salted, hashed with SHA-256, then base64 encoded. Is there a way to decode this string back to its original value?
SHA-256 is a cryptographic (one-way) hash function, so there is no direct way to decode it. The entire purpose of a cryptographic hash function is that you can't undo it.
One thing you can do is a brute-force strategy, where you guess what was hashed, then hash it with the same function and see if it matches. Unless the hashed data is very easy to guess, it could take a long time though.
You may find the question "Difference between hashing a password and encrypting it" interesting.
It should be noted - Sha256 does not encrypt the data/content of your string, it instead generates a fixed size hash, using your input string as a seed.
This being the case - I could feed in the content of an encyclopedia, which would be easilly 100 mb in size of text, but the resulting string would still be 256 bits in size.
Its impossible for you to reverse the hash, to get that 100mb of data back out of the fixed size hash, the best you can do, is try to guess / compute the seed data, hash, and then see if the hash matches the hash your trying to break.
If you could reverse the hash, you would have the greatest form of compression to date.
SHA* is a hash function. It creates a representation (hash) of the original data. This hash is never intended to be used to recreate the original data. Thus it's not encryption. Rather the same hash function can be used at 2 different locations on the same original data to see if the same hash is produced. This method is commonly used for password verification.
You've done the correct thing by using a salt aka SSHA.
SHA and SHA-2 (or SHA-256) by itself without a salt are NOT considered secure anymore! Salting a SHA hash is called Salted SHA or SSHA.
Below is a simple example on how easily it is to de-hash SHA-1. The same can be done for SHA-2 without much effort as well.
Enter a password into this URL:
http://www.xorbin.com/tools/sha1-hash-calculator
Copy paste the hash into this URL:
https://hashes.com/en/decrypt/hash
Here's a page which de-hashes SHA-2. The way this pages works is somebody must have hashed your password before, otherwise it won't find it:
md5hashing dot net/hashing/sha256
Here's a page that claims to have complete SHA-2 tables available for download for a "donation" (I haven't tried it yet):
crackstation dot net/buy-crackstation-wordlist-password-cracking-dictionary.htm
Here's a good article that explains why you have to use SSHA over SHA:
crackstation dot net/hashing-security.htm
I am attempting to write C code using the openssl libraries to decrypt data that has been encrypted by the Java function OpenSSL.encrypt(). I know the password, but I have not been able to figure out the parameters for PBE.
I am attempting to use the EVP_BytesToKey() function, but I don't know which algorithm to use (MD2, MD5, SHA1?) or how many rounds to properly derive the key and iv from the password. Everywhere I have looked says the Java function is compatible with "openssl enc", but I can't find what parameters it uses either.
I have also looked at PKCS#5, which is what is supposedly implemented, but it doesn't specify a default for algorithm or number of rounds. Please help!
Edit:
Nevermind, finally found parameters that work - MD5 with one round.
I am looking for a simple and FAST algorithm to encrypt/decrypt a string (length is about 128 bytes) with a password.
Any good algorithms?
ADDED: Custom algorithm is absolutely OK. Less memory it take - better it is (for my case). No extra classes - perfect.
AES Algorithm : Implementation
AES is a federal standard for
private-key or symmetric cryptography.
It supports combinations of key and
block sizes of 128, 192, and 256.
How about IDEA - International Data
Encryption Algorithm ?
IDEA is the name of the patented and
universally applicable block
encryption algorithm, which permits
the effective protection of
transmitted and stored data against
unauthorized access by third parties.
See for the implementation : How to implement IDEA?
AES or 3DES are pretty "standard" symmetrical key encryptions. Blowfish is another.
Check http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html for using AES with Java, for instance.
Side note: If this is intended for securing something like passwords, you should really use a one-way hashing method instead (like MD5 or similar). Unless you absolutely have to be able to decrypt the text, one-way hashing is much safer. When, for instance, storing passwords in a database you would hash the password (with something like MD5) and store it. Validating a login is then done by hashing the user input and comparing it with the hashed value stored in the database.
See Java Crypto! for Encryption and Decryption
There is the Tiny Encryption Algorithm ( http://en.wikipedia.org/wiki/XXTEA ).
It's pretty simple and fast (for an encryption algorithm) and there are Java implementations.
Here is a simple encryption/decryption method. It is pretty weak, so I present it for, say education purpose:
public static String encDec(String input, String password) {
byte[] in = input.getBytes();
byte[] key = password.getBytes();
byte[] result = new byte[in.length];
int k = 0;
for (int i = 0; i < in.length; i++) {
result[i] = (byte)(in[i] ^ key[k]);
k++;
if (k == key.length)
k=0;
}
return new String(result);
}
It simply xors the bytes of a phrase with the bytes of a password. The same method can be used to encrypt and decrypt. Not a big challenge for a crypto analyst, by the way, but an easy start if you just need to obfuscate some data.
To make it a slightly better: don't pass a password String but a byte array with random values. But you wanted a method with a password, that's why I've implemented it that way ;)