In this tutorial, we will learn the technique of salted password hashing using SHA-384 algorithm with an example.
The SHA (Secure Hash Algorithm) is one of the popular cryptographic hash functions. A cryptographic hash can be used to make a signature for a text or a data file.
The SHA-384 algorithm generates an almost-unique, fixed-size 384-bit hash. This is a one-way function, so the result cannot be decrypted back to the original value.
Check out Java SHA-256 Hash With Salt Example
Java SHA-384 Hash With Salt Example
package com.avaya.smgr.tm.util;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
public class SecureUtils {
public static String getSecurePassword(String password, byte[] salt) {
String generatedPassword = null;
try {
MessageDigest md = MessageDigest.getInstance("SHA-384");
md.update(salt);
byte[] bytes = md.digest(password.getBytes(StandardCharsets.UTF_8));
StringBuilder sb = new StringBuilder();
for (int i = 0; i < bytes.length; i++) {
sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
}
generatedPassword = sb.toString();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
return generatedPassword;
}
private static byte[] getSalt() throws NoSuchAlgorithmException {
SecureRandom random = new SecureRandom();
byte[] salt = new byte[16];
random.nextBytes(salt);
return salt;
}
public static void main(String[] args) throws NoSuchAlgorithmException {
// same salt should be passed
byte[] salt = getSalt();
String password1 = getSecurePassword("Password", salt);
String password2 = getSecurePassword("Password", salt);
System.out.println(" Password 1 -> " + password1);
System.out.println(" Password 2 -> " + password2);
if (password1.equals(password2)) {
System.out.println("passwords are equal");
}
}
}
Output:
Password 1 -> b9e38b7b187415e8fe4a1cbaadaaa6e2a0bdd472c99222df4d46abbc98fdadf2d6f45549c79e3846987bf236e18f6fcb
Password 2 -> b9e38b7b187415e8fe4a1cbaadaaa6e2a0bdd472c99222df4d46abbc98fdadf2d6f45549c79e3846987bf236e18f6fcb
passwords are equal
Notice that, both the passwords are equal because we are using the same salt for generating the same hashing password.
Let's understand the above example.
Java provides inbuilt MessageDigest class for SHA-384 hashing:
MessageDigest md = MessageDigest.getInstance("SHA-384");
Next, we create a new instance for the SecureRandom class and the nextByte() method generates the random salt.
SecureRandom random = new SecureRandom();
byte[] salt = new byte[16];
random.nextBytes(salt);
We add salt to input using the update() method of MessageDigest:
md.update(salt);
Once we have added the salt we can generate the hashed password using the digest() method:
byte[] bytes = md.digest(password.getBytes(StandardCharsets.UTF_8));
Convert byte[] into a string as:
byte[] bytes = md.digest(password.getBytes(StandardCharsets.UTF_8)); StringBuilder sb = new StringBuilder(); for(int i=0; i< bytes.length ;i++) { sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1)); } generatedPassword = sb.toString();
Validate Password
While Storing the password
- Generate a long random salt using SecureRandom.
- Use the Hash function such as SHA256 to hash both Salt and Password together.
- Save both the Salt and the Hash separately in the database.
While Validating the password
- Retrieve the Salt and Hash from the database.
- Use the same Hash function (SHA256) which is used while generating the hash.
- Generate a new Hash with the new password provided and the Salt retrieved from the database.
- Now compare the new hash with the hash from the database. If they match, then the password provided is correct. Otherwise, the password is incorrect.
Have a look into the above example, we are using the same salt to generate the same hashing password and validation.
Conclusion
In this tutorial, we have seen how to generate salted password hashing (SHA-384 algorithm) with an example.
Comments
Post a Comment
Leave Comment