1

It's my first time dealing with Password hashing in a web application. I used https://www.codeproject.com/articles/704865/salted-password-hashing-doing-it-right for theory and copied a sample from https://github.com/defuse/password-hashing. In my understanding, the salt should be unique for every account. So my question would be:

why is the salt generated in this method:

 public static String createHash(char[] password)
    throws CannotPerformOperationException
{
    // Generate a random salt
    SecureRandom random = new SecureRandom();
    byte[] salt = new byte[SALT_BYTE_SIZE];
    random.nextBytes(salt);

    // Hash the password
    byte[] hash = pbkdf2(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE);
    int hashSize = hash.length;

    // format: algorithm:iterations:hashSize:salt:hash
    String parts = "sha1:" +
        PBKDF2_ITERATIONS +
        ":" + hashSize +
        ":" +
        toBase64(salt) +
        ":" +
        toBase64(hash);
    return parts;
}

What I would Need is a function which stores a hashed password and the used salt from a database. How can I retrieve the used salt from here?

System.out.println(salt);

Always writes

[B@29453f44

In the console. Why is this the case? And what data type would I Need to store the salt in the mysql database? Or do I have the wrong Approach?

mffm
  • 366
  • 1
  • 3
  • 12
  • You're asking multiple questions here, which is never a good idea on SO. The output is due to http://stackoverflow.com/questions/30687160 – Jon Skeet Dec 13 '16 at 09:07
  • I don't quite understand your first questions. The salt is generated as a random salt for each new user. Which makes it pretty unique. You could also use something else as salt, like the `ID` for the user in the DB, but this is still unique. And then you concatenate it to `parts` with the `hash`, `hashSize` etc. Why do you need to retrieve it here? When you later want to authenticate a given password, since you know all the lengths and order of `parts` you can retrieve the `salt` part from `parts` and hash the given password to verify its authenticity – Aidin Dec 13 '16 at 09:14
  • You only store `parts` in your database as text `varchar` or `char`. You don't separate the salt and store it separately. – Aidin Dec 13 '16 at 10:04

1 Answers1

0

If I understand your questions correctly then:

In my understanding, the salt should be unique for every account.

byte[] salt = new byte[SALT_BYTE_SIZE];
random.nextBytes(salt);

Generates a random salt, which makes it unique. You could also use use the ID for the user from the database or something else unique, but a randomly generated salt is also unique, since afterall, for each new user a new salt is randomly generated.

This salt is then in your code concatenated together with the hash, the hashSize, the algorithm and the number of iterations into parts

 // format: algorithm:iterations:hashSize:salt:hash
String parts = "sha1:" +
    PBKDF2_ITERATIONS +
    ":" + hashSize +
    ":" +
    toBase64(salt) +
    ":" +
    toBase64(hash);
return parts;

Often you know the lengths (byte size) of the different parts in parts and can thus extract the part you need. In your case you have even added a : as a separator which makes it even simpler to extract the part you are interested in.

And what data type would I Need to store the salt in the mysql database?

Once you have gotten your parts, this is what you save in the database as text (varchar or char). You do not separate it and store salt separately. Just mash it all in together.

When a user then wants to sign in, they provide a password. Now you fetch parts for the user from the database, you extract the salt, number of iterations and so on from parts, since afterall, you know exactly how it is concatenated. Then you use that information to hash the inputted password from the user again. Now you compare the new hash, with the old hash. If they are the same, well, then the user gave the correct password, if not, he didn't.

Always writes [B@29453f44 In the console.

As @JonSkeet said, the answer is given in Converting String to Sha-256 Hash

Community
  • 1
  • 1
Aidin
  • 1,230
  • 2
  • 11
  • 16