-3

I know how to generate an MD5 Hash for a single string,

But what if I want to generate it like this:

String hash1 = GenHash(username:realm:password);

where the username and realm is fixed, the password is read from a text file which contain many words, and I want each of the words convert into md5 hash...

How can I do this ?

Blaky
  • 1
  • What exactly is the problem here? What's the difference between what you know how to do and what you're asking how to do? What's the question? – user207421 Mar 27 '15 at 23:35
  • ^^I took his question to be "How do I hash multiple things together?" My answer was "Concatenate then hash". – ManEatingCheese Mar 27 '15 at 23:45
  • 1
    Don't use MD5 to hash passwords. Use bcrypt or scrypt or pbkdf2 . LinkedIn had to pay $1.25M settlement for using a weak password hash. – Neil McGuigan Mar 28 '15 at 00:07

1 Answers1

1

The reason why Neil is so adamant about not using MD5 (and he's right, by the way) is that MD5 is vulnerable to attack. This means that passwords could be recovered if an attacker finds the hash output. Since hashing passwords is generally done so that the preimage (i.e. the password) won't be revealed if the hash is found, you are strongly (oh so strongly) advised against using MD5. (In fact, if you're in business and you use MD5 for passwords, have fun with the negligence lawsuit. [Not legal advice]) Neil recommends some good hash algorithms. (Details of why MD5 is vulnerable are far beyond the scope of this question.)

Okay. Your question is how you hash multiple things together.

In order to hash multiple things together, you generally just concatenate them or otherwise just hash them in order without calling "digest()". (The order does matter, by the way.) In your case, since you have a wrapper on the hashing function, you would merely concatenate the strings together before hashing them.

String username = "myName";
String realm = "Narnia";
String password = "secret";

String hash = GenHash(username + realm + password);

In everyone else's case, they are probably using the standard Java MessageDigest, so they would call digest multiple times... after converting their strings to byte arrays. (Note that you're going to want to specify an encoding when converting a String to a byte array to ensure it's always done the same way, otherwise your hash function may return different results on different machines.)

byte[] usernameBytes; //Set equal to perhaps UTF32 encoding of the string
byte[] realmBytes; //Set equal to perhaps UTF32 encoding of the string
byte[] passwordBytes; //Set equal to perhaps UTF32 encoding of the string

MessageDigest md = MessageDigest.getInstance("MD5");
md.update(usernameBytes); //Updates digest with these bytes
md.update(realmBytes);    //Updates digest with these bytes
md.update(passwordBytes); //Updates digest with these bytes

byte[] hashResult = md.digest(); //Outputs result

//Insert code to convert the byte array to an outputtable form (or perhaps you're writing to a binary file)

But remember: using Strings presents a security vulnerability!

Strings should never be used for passwords since the string values cannot be guaranteed to be deleted (since they reside on the heap and are therefore "deleted" by the garbage collector whenever it maybe gets around to it, and by "deleted" I mean deallocated, not deleted). An attacker obtaining access to a memory dump could read the password. (Admittedly you have other problems if an attacker gets a memory dump, but don't make it worse.)

It is preferred that a char[] is used for all passwords or other very-sensitive text values. You would therefore create a new char array of size (username.length() + realm.length() + password.length()) then iterate over each of your strings and add each character to the new array... which you would then hash... then you would wipe all sensitive text values that you are no longer using (by iterating over each array and setting each element equal to (char)0).

Again, you cannot manually delete or wipe a string, but you can manually wipe a char or char[].

Why is char[] preferred over String for passwords?

While you're at it, look up password or hash salting. It may be useful for what you're doing.

Community
  • 1
  • 1
ManEatingCheese
  • 228
  • 1
  • 11
  • Hi, thanks for help! I got it now! But I still have a question, how can I output the hash value to a text.txt ? Because I have generated 500+ hash value and the console are not able to show them all... – Blaky Mar 28 '15 at 03:19
  • Blaky, outputting to a text file is an entirely different question. There is plenty of material on StackOverflow for you to research -- I'm sure you can find the answer. You need to be aware of whether your hash output is text (i.e. with characters "0"-"9" and "A"-"F") or bytes (i.e. byte[]). byte[] won't output to a text file in a human-readable way, but that may or may not be a problem for you. (In general don't write bytes to text files; sometimes you write control characters and that gets weird quick.) – ManEatingCheese Mar 30 '15 at 20:36