Win a copy of Event Streams in Action this week in the Java in General forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Knute Snortum
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Piet Souris
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

Need help with MD5

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello all,
I am fairly new in Java, and I am having a bit of a problem with MD5 hash that I need to use for a program for school.

I am supposed to be building an authentication system, that takes username and password from the user, converts the password to hash, compares it to the hashed password in the credentials file, and then giving access accordingly. I have attached the code for the MD5 hash, the unfinished program code (named final) and the credentials file.

The problem I am having is that when I run the MD5 code as a standalone, the hash it generates matches the hash from the credentials file. But when I run final, the hash for only the last two credentials (ones without space in the actual PW) match, the top 4, with spaces in the actual password do not match. I cannot seem to figure out what I have done wrong.

Any help and guidance is much appreciated.
Thank you
Abu



 
Saloon Keeper
Posts: 5711
144
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Post the code, the data you're using, what result you were expecting, and what actually happened.

And note that MD5 is considered insecure, and should not be used for anything. SHA-2 is considered state of the art.

 
Abu Alam
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I thought I attached the data and the codes.

Anyways, below is the credential data that the program needs to read from

griffin.keyes 108de81c31bf9c622f76876b74e9285f "alphabet soup" zookeeper
rosario.dawson 3e34baa4ee2ff767af8c120a496742b5 "animal doctor" admin
bernie.gorilla a584efafa8f9ea7fe5cf18442f32b07b "secret password" veterinarian
donald.monkey 17b1b7d8a706696ed220bc414f729ad3 "M0nk3y business" zookeeper
jerome.grizzlybear 3adea92111e6307f8f2aae4721e77900 "grizzly1234" veterinarian
bruce.grizzlybear 0d107d09f5bbe40cade3de5c71e9e9b7 "letmein"         admin

username                  hashPW                                             actual PW           role

Below is the MD5 code. I am aware of the insecurity, but it is a requirement of the professor.

import java.security.MessageDigest;

public class MD5Digest {

public static void main(String[] args) throws Exception {
     
     //Copy and paste this section of code
String original = "letmein";  //Replace "password" with the actual password inputted by the user
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(original.getBytes());
byte[] digest = md.digest();
     StringBuffer sb = new StringBuffer();
for (byte b : digest) {
sb.append(String.format("%02x", b & 0xff));
}
     //End copy/paste

System.out.println("original:" + original);
System.out.println("digested:" + sb.toString()); //sb.toString() is what you'll need to compare password strings
}

}

Below is my incomplete code

[code=java]package finalpractice;


import java.security.*;
import java.lang.*;
import java.io.*;
import java.nio.*;
import java.util.*;
import javax.swing.*;

public class FinalPractice
{

 
   public static void main(String[] args) throws FileNotFoundException, IOException, NoSuchAlgorithmException
   {
       //variables from text file
       String userName = "";
       String hashPassword = "";
       String actualPassword = "";
       String employeeRole = "";

       try
       {

           BufferedReader br = new BufferedReader(new FileReader("F:\\SNHU_School\\IT145\\Assignment_codes\\final_project\\Credentials.txt"));
           String line = null;

           while ((line = br.readLine()) != null)
           {
               String tmp[] = line.split("\t");
               userName = tmp[0];
               hashPassword = tmp[1];
               actualPassword = tmp[2];
               employeeRole = tmp[3];
               // print all variables
               // FIXME: REMOVE THE SYSTEM.OUT LINE
               System.out.println(userName + "\t" + hashPassword + "\t" + actualPassword + "\t" + employeeRole);
           }
           br.close();
       }
       catch (IOException FIex)
       {
           System.out.println("ERROR");

       }
       // ASK FOR USERNAME AND PW
       Scanner scnr = new Scanner(System.in);
       String userInputName = "";
       String userInputPW = "";

       System.out.println("Enter username: ");
       userInputName = scnr.next();
       System.out.println("Enter password: ");
       userInputPW = scnr.next();

       
       // GENERATING HASH PW
       //userInputPW = "";
       MessageDigest md = MessageDigest.getInstance("MD5");
       md.update(userInputPW.getBytes());
       byte[] digest = md.digest();
       StringBuilder sb = new StringBuilder();
       for (byte b : digest)
       {
           sb.append(String.format("%02x", b & 0xff));
       }
//FIXME
       System.out.println(sb.toString());
//
       return;
   }
}
When I run the MD5 code with the password in there, the hashed PW it spits out matches the one in the data file, but when I do a test run on my program, a totally different hash is given out. I think it is because for some reason, when the MD5 is taking the user input password, it is disregarding the word after the space. When I enter either of the last to passwords on the data file, the hashed PW matches that of the data file. Although I have removed it from my codes, I did try the split() and replaceAll() methods to get rid of the whitespace in the password before it is fed to the MD5.

The whole program is to write a program for an authentication system, where the user will input username and PW, and if it matches the credentials on the data file, then the user will be given access to another file specific to that user.

Thank you very much for your help Tim.
Abu

 
Bartender
Posts: 1679
17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Abu Alam wrote:I thought I attached the data and the codes.

Anyways, below is the credential data that the program needs to read from

griffin.keyes 108de81c31bf9c622f76876b74e9285f "alphabet soup" zookeeper
rosario.dawson 3e34baa4ee2ff767af8c120a496742b5 "animal doctor" admin
bernie.gorilla a584efafa8f9ea7fe5cf18442f32b07b "secret password" veterinarian
donald.monkey 17b1b7d8a706696ed220bc414f729ad3 "M0nk3y business" zookeeper
jerome.grizzlybear 3adea92111e6307f8f2aae4721e77900 "grizzly1234" veterinarian
bruce.grizzlybear 0d107d09f5bbe40cade3de5c71e9e9b7 "letmein"         admin

username                  hashPW                                             actual PW           role

Below is the MD5 code. I am aware of the insecurity, but it is a requirement of the professor.

import java.security.MessageDigest;

public class MD5Digest {

public static void main(String[] args) throws Exception {
     
     //Copy and paste this section of code
String original = "letmein";  //Replace "password" with the actual password inputted by the user
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(original.getBytes());
byte[] digest = md.digest();
     StringBuffer sb = new StringBuffer();
for (byte b : digest) {
sb.append(String.format("%02x", b & 0xff));
}
     //End copy/paste

System.out.println("original:" + original);
System.out.println("digested:" + sb.toString()); //sb.toString() is what you'll need to compare password strings
}

}

Below is my incomplete code

[code=java]package finalpractice;


import java.security.*;
import java.lang.*;
import java.io.*;
import java.nio.*;
import java.util.*;
import javax.swing.*;

public class FinalPractice
{

 
   public static void main(String[] args) throws FileNotFoundException, IOException, NoSuchAlgorithmException
   {
       //variables from text file
       String userName = "";
       String hashPassword = "";
       String actualPassword = "";
       String employeeRole = "";

       try
       {

           BufferedReader br = new BufferedReader(new FileReader("F:\\SNHU_School\\IT145\\Assignment_codes\\final_project\\Credentials.txt"));
           String line = null;

           while ((line = br.readLine()) != null)
           {
               String tmp[] = line.split("\t");
               userName = tmp[0];
               hashPassword = tmp[1];
               actualPassword = tmp[2];
               employeeRole = tmp[3];
               // print all variables
               // FIXME: REMOVE THE SYSTEM.OUT LINE
               System.out.println(userName + "\t" + hashPassword + "\t" + actualPassword + "\t" + employeeRole);
           }
           br.close();
       }
       catch (IOException FIex)
       {
           System.out.println("ERROR");

       }
       // ASK FOR USERNAME AND PW
       Scanner scnr = new Scanner(System.in);
       String userInputName = "";
       String userInputPW = "";

       System.out.println("Enter username: ");
       userInputName = scnr.next();
       System.out.println("Enter password: ");
       userInputPW = scnr.next();

       
       // GENERATING HASH PW
       //userInputPW = "";
       MessageDigest md = MessageDigest.getInstance("MD5");
       md.update(userInputPW.getBytes());
       byte[] digest = md.digest();
       StringBuilder sb = new StringBuilder();
       for (byte b : digest)
       {
           sb.append(String.format("%02x", b & 0xff));
       }
//FIXME
       System.out.println(sb.toString());
//
       return;
   }
}
When I run the MD5 code with the password in there, the hashed PW it spits out matches the one in the data file, but when I do a test run on my program, a totally different hash is given out. I think it is because for some reason, when the MD5 is taking the user input password, it is disregarding the word after the space. When I enter either of the last to passwords on the data file, the hashed PW matches that of the data file. Although I have removed it from my codes, I did try the split() and replaceAll() methods to get rid of the whitespace in the password before it is fed to the MD5.

The whole program is to write a program for an authentication system, where the user will input username and PW, and if it matches the credentials on the data file, then the user will be given access to another file specific to that user.

Thank you very much for your help Tim.
Abu



What Tim said.

I'd check this site as one of many examples for Generating SHA 256 and I personally would be worried about any class that was teaching me how to use insecure hashing methods like MD5!

https://www.quickprogrammingtips.com/java/how-to-generate-sha256-hash-in-java.html

-- mike
 
Abu Alam
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Cheers Mike. I know what you mean about the MD5. I might be new at java programming, but before I started this project, I did a little research on MD5, and I echoed yours and Tims sentiment to my instructor, and he says that MD5 is not insecure and that the project requirement is using the MD5.

Thank you though.
Abu
 
Mike London
Bartender
Posts: 1679
17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Abu Alam wrote:Cheers Mike. I know what you mean about the MD5. I might be new at java programming, but before I started this project, I did a little research on MD5, and I echoed yours and Tims sentiment to my instructor, and he says that MD5 is not insecure and that the project requirement is using the MD5.

Thank you though.
Abu



You could just point him to many, many of the online resources which discuss the insecurity.

https://en.wikipedia.org/wiki/MD5  (where it says, among other things: "The security of the MD5 hash function is severely compromised")

Nobody I know could survive a code review using MD5 in 2019.

-- mike
 
Abu Alam
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is my first java programming class. When the instructor first told us that we need to use MD5 in our final project, I decided to read up on it, and like you said, everywhere I looked said that same thing, that MD5 is extremely insecure. And trust me, I asked the instructor point blank, " when creating an authentication system, will the MD5 not make it insecure?". The instructor's one word answer to that was "NO". The other thing could be that because it is a beginner level class, the instructor probably just wanted us to be familiar with hash codes. I don't know. But the most I could get out of him about this was a "NO". It also does not help that that it is an online class.
 
Mike London
Bartender
Posts: 1679
17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Abu Alam wrote:This is my first java programming class. When the instructor first told us that we need to use MD5 in our final project, I decided to read up on it, and like you said, everywhere I looked said that same thing, that MD5 is extremely insecure. And trust me, I asked the instructor point blank, " when creating an authentication system, will the MD5 not make it insecure?". The instructor's one word answer to that was "NO". The other thing could be that because it is a beginner level class, the instructor probably just wanted us to be familiar with hash codes. I don't know. But the most I could get out of him about this was a "NO". It also does not help that that it is an online class.



It's not worth arguing with an instructor who may be misinformed or is thinking a certain way that contradicts what is, from my readings, universally agreed upon.

Just do what you need to do to get though the class, as learning how to code is the goal here, and then banish MD5.

-- mike
 
Saloon Keeper
Posts: 10421
223
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Every job has its tool. MD5 is not obsolete, but it should not be used to secure sensitive information.

For that matter, any normal hashing algorithm shouldn't be used by itself to derive a key from a password. You need to use a key derivation function, as the name implies. Examples are PBKDF2 and bcrypt. There are based on hashing algorithms like SHA256, but that's not the end of the story.

Do the exercise, then forget most of what you've learned and then study key derivation algorithms.
 
Don't get me started about those stupid light bulbs.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!