• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • paul wheaton
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Tim Holloway
  • Carey Brown
  • salvin francis

how to check sha512 hash value with salt

 
Ranch Hand
Posts: 1325
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I used sha512 with salt value. So i need to verify the generated hash value is correct ?
I am using binary array as a salt.
I am using https://www.baeldung.com/java-password-hashing as reference. below is the code. So i will save the hashed valeu and salt in DB.


I need to verify that the generated hashed value by manually . foe example i need to hash the same password using that salt value and check that i am getting same hashed value . I found below site but it does not provide place to add salt value ?

sha256 site
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
String plainText = "text" + "salt";

MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
byte[] hash = messageDigest.digest( plainText.getBytes() );

System.out.println("Result: " + new String(hash));
 
Saloon Keeper
Posts: 10495
224
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Don't do this ever.

Use a key derivation function to create and verify user passwords. Writing your own salt+hash function is asking to get hacked. Heck, if you're working with a framework like Spring or Java EE, don't even use a key derivation function, but use the security middleware instead.

If this is just for practice, you will want to get an instance of SecretKeyFactory and convert an instance of PBEKeySpec to a SecretKey.

Don't use String. Move the raw password as a character array before you create a PBEKeySpec out of it. When you're done creating the SecretKey, make sure to zero out the character array and clear the PBEKeySpec.

You can store the SecretKey either by serializing it, or by calling getEncoded() to get the raw bytes. You will also want to store the IV of the PBEKeySpec you generated the secret with.

To verify a password the user entered, retrieve the SecretKey and IV from storage, and create a new SecretKey using the entered password and the stored IV. When the new secret has the same bytes as the stored secret, the password is valid.

Make sure to post your code when you're done or need help, so we can help you with possible security issues.
 
shawn peter
Ranch Hand
Posts: 1325
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Stephan,

This is for just practise. I need to generate the hash password using salt and password. Then need to check it is generating same value. Can you provide me a way for it.
 
Stephan van Hulst
Saloon Keeper
Posts: 10495
224
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You just store the hashed password and the salt somewhere. When you want to validate, you hash the entered password again, except the second time you use the stored salt, not a newly generated one. If the hashes match, the password is valid.
 
shawn peter
Ranch Hand
Posts: 1325
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
but the i need to validate this not the pragmatically, i need to validate using user friendly way. For example i need to validate using some website which take password and salt value and generate the hashed password.
Also i stored the hashed password as a byte array. So i need to convert it to String before doing validation.
 
Rancher
Posts: 478
6
IntelliJ IDE Spring Fedora
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote: except the second time you use the stored salt, not a newly generated one.


Should the app use a different salt for each password or should It be generated one time and then stored in a file or what?  
 
Stephan van Hulst
Saloon Keeper
Posts: 10495
224
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

shawn peter wrote:but the i need to validate this not the pragmatically, i need to validate using user friendly way.


So? Once you can do it programmatically, you can call your code from a user interface, yeah?

For example i need to validate using some website which take password and salt value and generate the hashed password.


Why does the user need to enter the salt? That makes no sense.

Also i stored the hashed password as a byte array. So i need to convert it to String before doing validation.


Why?
 
Stephan van Hulst
Saloon Keeper
Posts: 10495
224
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Al Hobbs wrote:Should the app use a different salt for each password or should It be generated one time and then stored in a file or what?


In crypto speak, a salt is also called an "initialization vector", or IV. Any cryptographic operation that transforms a secret message (like a password) must yield a unique value every time. If you hash a password twice, you should end up with two different and completely random looking byte strings. That's what the IV is for: it introduces a unique and random component to every password.

To be able to validate a hash, you need to hash the password with the same IV you used in the original operation. That means you must store an IV with every password hash. You can do this by appending the IV to the hash, or by storing it in a separate database cell, if you want. It doesn't really matter. Unlike the hash, IVs are not considered secret.

In addition to salting a password, some publications recommend using a pepper as well: encrypting a password with a key before hashing the result. The key is generated once per deployment and is stored in a configuration file. I strongly doubt it provides any significant security improvements over just using a proper hashing algorithm like PBKDF2 or bcrypt.
 
There is no beard big enough to make me comfortable enough with my masculinity to wear pink. Tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!