2

I am using same MySQL table to store password from different program. One is written in Java and another is written in PHP.

I am saving password via PHP using this script:

encrypted_password= md5(md5('added_salt').md5(md5('plain_password')));

I need to encrypt password in Java using MD5 and salt like above. I write code in Java but it's output is different:

       MessageDigest md = MessageDigest.getInstance("MD5");


       String salts = "a,d,d,e,d,_,s,a,l,t";

        String salttmps[] = salts.split(",");
        byte salt[] = new byte[salttmps.length];

        for (int i = 0; i < salt.length; i++) {
          salt[i] = Byte.parseByte(salttmps[i]);
        }
        md.update(salt); 
        md.update(password.getBytes());

        byte byteData[] = md.digest();


        StringBuffer sb = new StringBuffer();
        for (int i = 0; i < byteData.length; i++) {
         sb.append(Integer.toString((byteData[i] & 0xff) + 0x100, 16).substring(1));
        } 
        password = sb.toString();

I need to correct Java code and generate output same as PHP.

Aryan G
  • 1,281
  • 10
  • 30
  • 51
  • 2
    You really [shouldn't use `md5`](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) – kero Jun 11 '14 at 10:49
  • Is there any other option? I already have PHP application that used MD5. – Aryan G Jun 11 '14 at 10:52
  • http://stackoverflow.com/questions/4183646/java-md5-the-php-way – cy3er Jun 11 '14 at 10:54
  • http://www.mkyong.com/java/java-md5-hashing-example/ – ashok_p Jun 11 '14 at 10:56
  • @AryanG - You could use [BCrypt](http://www.mindrot.org/projects/jBCrypt/) instead. Of course this means that the PHP application has to change to this algorithm too, but migrating to a safer algorithm is overdure anyway. PHP offers the function [password_hash()](http://www.php.net/manual/en/function.password-hash.php). – martinstoeckli Jun 11 '14 at 15:27
  • Also see Openwall's [PHP password hashing framework](http://www.openwall.com/phpass/) (PHPass). Its portable and hardened against a number of common attacks on user passwords. The guy who wrote the framework (SolarDesigner) is the same guy who wrote [John The Ripper](http://www.openwall.com/john/) and sits as a judge in the [Password Hashing Competition](http://password-hashing.net/). So he knows a thing or two about attacks on passwords. – jww Oct 12 '14 at 02:03

1 Answers1

2

If you could post an example of output in your question, it would be better to reproduce the algorithm.

I guess you should do something like this:

public static void main(String[] args) {

    try {
        System.out.println(md5(md5("added_salt"), md5("plain_password")));
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
}

public static String md5(String plainText) throws NoSuchAlgorithmException {
    return md5(null, plainText);
}

public static String md5(String salt, String plainText)
        throws NoSuchAlgorithmException {
    MessageDigest md = MessageDigest.getInstance("MD5");

    if (salt != null) {
        md.update(salt.getBytes());
    }
    md.update(plainText.getBytes());

    byte byteData[] = md.digest();

    StringBuffer sb = new StringBuffer();
    for (int i = 0; i < byteData.length; i++) {
        sb.append(Integer.toString((byteData[i] & 0xff) + 0x100, 16)
                .substring(1));
    }
    return sb.toString();
}

md5(md5("added_salt"), md5("plain_password")) returns 3bd9e544ab1a3d3485f07af38cc1b415

Bruno Volpato
  • 1,382
  • 10
  • 18