Using BCrypt with a char[]

Question

Around a few hours ago, I enquired on Stack Overflow about methods on how to convert a char[] to an MD5 hash. A solution was provided, but was thought to be insecure - as outlined by a couple of people: Generating an MD5 Hash with a char[]

Neil Smithline recommended that I make use of BCrypt, but I am unable to use that with char[]'s.

The reason that I am using a char[] for storing the retrieved password from a login form is because .getPassword() supports only char[].

        char[] passwordChars = passwordInputField.getPassword();
        String hashed = BCrypt.hashpw(passwordChars, BCrypt.gensalt(12));

Currently, I am trying to use the above code to generate a hash but as the variable passwordCars is of type a char[], it is not supported by BCrypt.haspw()

Now the only reason why I am not using a regular String is because it cannot be cleared from memory.

My question now is - is it possible to somehow use char[]'s with BCrypt?

Thanks in advance!

It's kinda a bad idea, but you would need to take the char[] and turn back into a String (based on what I can tell from the api), which seems like a bad design... — MadProgrammer, May 31 '15 at 21:54
What would you recommend then? MD5 seems insecure, and BCrypt doesn't seem to work with char[]'s. — Hrach Ghapantsyan, May 31 '15 at 21:58
I'm no security expert by any means, but about the only issue I know of with md5 is that there is a remote chance that it could generate the same hash value for two different strings. Do you have any more information it's vanutability? — MadProgrammer, May 31 '15 at 22:06
Okay, you could pull a version from [here](https://github.com/jeremyh/jBCrypt) modify it to use a char[] instead and then post a pull request to solve the problem — MadProgrammer, May 31 '15 at 22:14
@MadProgrammer - hashing is out for password storage "key extension" is in. [BCrypt and PBKDF2](http://security.stackexchange.com/a/6415/10885) are the standards. — Neil Smithline, May 31 '15 at 22:15
@NeilSmithline - Any suggestions on what I could do? Any solutions to use? — Hrach Ghapantsyan, May 31 '15 at 22:18
Yes @HrachGhapantsyan, both Java impls of bcrypt that I found take a String as input. As you seem to know, putting the password into a string opens you up to memory attack. — Neil Smithline, May 31 '15 at 22:19
I just saw an implementation of pbkdf2 which took a String and converted it to a char[] :( — MadProgrammer, May 31 '15 at 22:20
You can just tweak the functions @MadProgrammer to avoid the String. — Neil Smithline, May 31 '15 at 22:29
@NeilSmithline It's a shame that the base implementation examples which are demonstrated make such a fundamentally bad mistake — MadProgrammer, May 31 '15 at 22:40

score 4 · Answer 1 · edited May 23 '17 at 11:53

So, based on the implementation presented at https://github.com/jeremyh/jBCrypt, you need to change the hashpw and checkpw methods to accept char[] instead of String

Probably, the hardest part is in hashpw...

    try {
        passwordb = (password + (minor >= 'a' ? "\000" : "")).getBytes("UTF-8");
    } catch (UnsupportedEncodingException uee) {
        throw new AssertionError("UTF-8 is not supported");
    }

The easiest solution would be to wrap the char[] back into a String, but we're trying to avoid that. Instead, based on the highest scoring answer from Converting char[] to byte[], we can do something more like...

    char[] expanded = password;
    if (minor >= 'a') {
        expanded = Arrays.copyOf(expanded, expanded.length + 1);
        expanded[expanded.length - 1] = '\000';
    }

    CharBuffer charBuffer = CharBuffer.wrap(expanded);
    ByteBuffer byteBuffer = Charset.forName("UTF-8").encode(charBuffer);
    passwordb = Arrays.copyOfRange(byteBuffer.array(), byteBuffer.position(), byteBuffer.limit());

The checkpw method actually doesn't need any modifications (apart from the parameters), as it uses the hashpw method to check the results.

So, testing...

// We want the same salt for comparison
String salt = BCrypt.gensalt(12);
String original = BCrypt.hashpw("Testing", salt);
System.out.println(original);
String hash = BCrypt.hashpw("Testing".toCharArray(), salt);
System.out.println(hash);
System.out.println(BCrypt.checkpw("Testing", hash));
System.out.println(BCrypt.checkpw("Testing".toCharArray(), hash));

Outputs...

$2a$12$KclXlnca78yhcrg1/mNrRepLYqeJE//SRhrh1X3UM7YUQMjY4x8gy
$2a$12$KclXlnca78yhcrg1/mNrRepLYqeJE//SRhrh1X3UM7YUQMjY4x8gy
true
true

Now, if you have a GitHub account, you could actually clone the original repo, make the suggested changes and generate a pull requests. I'd, personally, be temptered to get rid of the checkpw and hashpw methods which require String

I also found this implementation of the PDKDF2, which uses String, but then promptly converted it to a char[] ... so, that was VERY simply to change...

score 1 · Accepted Answer · answered May 31 '15 at 22:27

Both Java impls of bcrypt that I found take a String as input. As you seem to know, putting the password into a string opens you up to memory attack.

You can use PBKDF2 as well as bcrypt. Both are considered top-notch. There are PBKDF2 Java code samples here and here. Both allow passing a char[] to the functions.

To answer an implicit question from the comments, the reason that you don't use MD5 or any hash is that they are just too fast. Brute forcing passwords with special hardware becomes possible with them. Bcrypt and PBKDF2 are designed to be slow.

Even if you're going to use a hash (which I recommend against), you must salt it. Reversing unsalted password hashes is trivial (see this tool).

The CrackStation's reference on password storage is a good general reference.

If you recommend not using hashes, then what would you recommend using? — Hrach Ghapantsyan, May 31 '15 at 22:30
Also, for the second example, will I need to modify any of the source code and could you provide a usage example? — Hrach Ghapantsyan, May 31 '15 at 22:50

score 0 · Answer 3 · answered Feb 08 '17 at 20:03

The short answer to your question: yes, it is possible to use char[]s with BCrypt in Java.

The Bouncy Castle crypto packages for Java added the BCrypt password hashing algorithm (using the String format and the Base64 encoding of the reference implementation on OpenBSD) in version 1.52 (Mar 2015), and it only supports char[] passwords.

The relevant method to generate a BCrypt string can be found in the org.bouncycastle.crypto.generators.OpenBSDBCrypt class and has the following signature:

String generate(char[] password,
                byte[] salt,
                int cost)

If you'd like to verify in the source code that the char[] is preserved without being converted into a String, the relevant classes are OpenBSDBcrypt, Strings and BCrypt.

Using BCrypt with a char[]

3 Answers3

Linked