I need some guidance on the scenario where I need to check the password coming from UI form (i.e, Authentication object) which I need to hashed using SHA-256 + constant salt(before making comparison) and password coming from DB (DB also has hashed password + salt) using Spring Security.
I am looking to compare these two different hashed value generated using same SALT value. How we can do it in java? Could anyone please share me a sample code?
You could simply compare the two password strings passwordA.equals(passwordB) ...
This has some security shortcomings:
Passwords should not be handled as strings, but as char or byte arrays: see here why
An Equal comparison is (theoretically) vulnerable to a timing-attack: see a discussion about a solution in java
It might be wise to use standard-tool to do security related things (even when they seem to be simple). Spring security has a ton of tools that can do that for you. Have a look at BCryptPasswordEncoder for example. Using well tested and maintained frameworks for security purposes is always a good idea.
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(password);
...
boolean result = passwordEncoder.matches(rawPassword, hashedPassword);
Also: Use a proper Algorithm for Password-Hashing! See this Answer on SO for some proposals
SHA-256 is not one of them. Spring Security gives you the right tools for the jobs, so you could just use them.
It looks to me you're looking to compare two separate hashed values created using same salt. Am I right ? If yes, so here is the sample program taking a reference from https://ashishpshukla.wordpress.com/2010/07/02/sample-java-code-for-password-encryption-using-secure-hash-algorithm-sha-256/
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
public class PasswordEncoder {
private static PasswordEncoder instance;
private final static int ITERATION_COUNT = 5;
private PasswordEncoder() { }
public static synchronized PasswordEncoder getInstance() {
if (instance == null) {
PasswordEncoder returnPasswordEncoder = new PasswordEncoder();
return returnPasswordEncoder;
}
else
return instance;
}
public synchronized String encode(String password, String saltKey)throws NoSuchAlgorithmException, IOException {
String encodedPassword = null;
byte[] salt = base64ToByte(saltKey);
MessageDigest digest = MessageDigest.getInstance("SHA-256");
digest.reset();
digest.update(salt);
byte[] btPass = digest.digest(password.getBytes("UTF-8"));
for (int i = 0; i < ITERATION_COUNT; i++) {
digest.reset();
btPass = digest.digest(btPass);
}
encodedPassword = byteToBase64(btPass);
return encodedPassword;
}
private byte[] base64ToByte(String str) throws IOException {
BASE64Decoder decoder = new BASE64Decoder();
byte[] returnbyteArray = decoder.decodeBuffer(str);
return returnbyteArray;
}
private String byteToBase64(byte[] bt) {
BASE64Encoder endecoder = new BASE64Encoder();
String returnString = endecoder.encode(bt);
return returnString;
}
public static void main(String[] args) throws NoSuchAlgorithmException, IOException {
String password = "Secrete@343";
String saltKey = "PveFT7isDjGYFTaYhc2Fzw==";
String hash1,hash2 = null;
// Assume from UI
PasswordEncoder encoder1 = PasswordEncoder.getInstance();
hash1 = encoder1.encode(password, saltKey);
System.out.println(hash1);
// Assume the same present in db
PasswordEncoder encoder2 = PasswordEncoder.getInstance();
hash2 = encoder2.encode(password, saltKey);
System.out.println(hash2);
if(hash1.equalsIgnoreCase(hash2))
System.out.println("Both hash Matches..");
else
System.out.println("Hash matches fails..");
}
}
The output:
8WgbLik5EbdtJY4OWm2ZQ0tHiU2lmvXNVrPhFDz3W2Y=
8WgbLik5EbdtJY4OWm2ZQ0tHiU2lmvXNVrPhFDz3W2Y=
Both hash Matches..
