Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I generate a SALT in Java for Salted-Hash?

I've been looking around and the closest answer is : How to generate a random alpha-numeric string?

I want to follow this workflow according to this CrackStation tutorial:

To Store a Password

  1. Generate a long random salt using a CSPRNG.

  2. Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256.

  3. Save both the salt and the hash in the user's database record.

To Validate a Password

  1. Retrieve the user's salt and hash from the database.

  2. Prepend the salt to the given password and hash it using the same hash function.

  3. Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect.

I don't know how to generate a SALT. I figured out how to generate a hash using the MessageDigest. I tried using SecureRandom but nextByte method produces garbled code.

Edit: I don't know which answer to choose, they're too complicated for me, I have decided to use jBCrypt; jBCript is easy to use, does all the complex stuff behind the scenes. so I'll let the community vote up for the best answer.

like image 295
Louis Hong Avatar asked Aug 09 '13 08:08

Louis Hong


People also ask

How do you generate a random salt in Java?

To generate salt bytes in Java, we just need to make sure that we use a secure random number generator. Construct an instance of SecureRandom, create (say) a 20-byte array, and call nextBytes() on that array: Random r = new SecureRandom(); byte[] salt = new byte[20]; r. nextBytes(salt);

What is a salt in hash generation?

A cryptographic salt is made up of random bits added to each password instance before its hashing. Salts create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.

Can you salt a hash?

If you have a password, you can easily turn it into a hash, but if you have the hash, the only way to get the original password back is by brute force, trying all possible passwords to find one that would generate the hash that you have.

What is salt in encryption in Java?

The salt is random data very often used in cryptography as additional input to a hash function. Doing encryption and decryption of a String with a salt implies that you should: Read an initial String. Generate random bytes to be placed in the salt.


1 Answers

Inspired from this post and that post, I use this code to generate and verify hashed salted passwords. It only uses JDK provided classes, no external dependency.

The process is:

  • you create a salt with getNextSalt
  • you ask the user his password and use the hash method to generate a salted and hashed password. The method returns a byte[] which you can save as is in a database with the salt
  • to authenticate a user, you ask his password, retrieve the salt and hashed password from the database and use the isExpectedPassword method to check that the details match
/**  * A utility class to hash passwords and check passwords vs hashed values. It uses a combination of hashing and unique  * salt. The algorithm used is PBKDF2WithHmacSHA1 which, although not the best for hashing password (vs. bcrypt) is  * still considered robust and <a href="https://security.stackexchange.com/a/6415/12614"> recommended by NIST </a>.  * The hashed value has 256 bits.  */ public class Passwords {    private static final Random RANDOM = new SecureRandom();   private static final int ITERATIONS = 10000;   private static final int KEY_LENGTH = 256;    /**    * static utility class    */   private Passwords() { }    /**    * Returns a random salt to be used to hash a password.    *    * @return a 16 bytes random salt    */   public static byte[] getNextSalt() {     byte[] salt = new byte[16];     RANDOM.nextBytes(salt);     return salt;   }    /**    * Returns a salted and hashed password using the provided hash.<br>    * Note - side effect: the password is destroyed (the char[] is filled with zeros)    *    * @param password the password to be hashed    * @param salt     a 16 bytes salt, ideally obtained with the getNextSalt method    *    * @return the hashed password with a pinch of salt    */   public static byte[] hash(char[] password, byte[] salt) {     PBEKeySpec spec = new PBEKeySpec(password, salt, ITERATIONS, KEY_LENGTH);     Arrays.fill(password, Character.MIN_VALUE);     try {       SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");       return skf.generateSecret(spec).getEncoded();     } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {       throw new AssertionError("Error while hashing a password: " + e.getMessage(), e);     } finally {       spec.clearPassword();     }   }    /**    * Returns true if the given password and salt match the hashed value, false otherwise.<br>    * Note - side effect: the password is destroyed (the char[] is filled with zeros)    *    * @param password     the password to check    * @param salt         the salt used to hash the password    * @param expectedHash the expected hashed value of the password    *    * @return true if the given password and salt match the hashed value, false otherwise    */   public static boolean isExpectedPassword(char[] password, byte[] salt, byte[] expectedHash) {     byte[] pwdHash = hash(password, salt);     Arrays.fill(password, Character.MIN_VALUE);     if (pwdHash.length != expectedHash.length) return false;     for (int i = 0; i < pwdHash.length; i++) {       if (pwdHash[i] != expectedHash[i]) return false;     }     return true;   }    /**    * Generates a random password of a given length, using letters and digits.    *    * @param length the length of the password    *    * @return a random password    */   public static String generateRandomPassword(int length) {     StringBuilder sb = new StringBuilder(length);     for (int i = 0; i < length; i++) {       int c = RANDOM.nextInt(62);       if (c <= 9) {         sb.append(String.valueOf(c));       } else if (c < 36) {         sb.append((char) ('a' + c - 10));       } else {         sb.append((char) ('A' + c - 36));       }     }     return sb.toString();   } } 
like image 100
assylias Avatar answered Sep 30 '22 05:09

assylias