0

Let say i have encripted SHA1 password like this

String pass = "f6ce584e7b4ff5253eed4a2ea2b44247";

and i want make condition like this :

 if (pass.equals("userinput")){
        System.out.println("success");
    }

please someone help me to make proper condition / function to compare those both value between user input and encripted password. Your help will be highly appreciated. thanks

Ansari Milah Ibrahim
  • 53
  • 1
  • 11
  • First learn how to get the SHA1 hash of `"userinput"` (the `javax.crypto` package can help with that), convert the results to a hex string and compare. – Kayaman Dec 15 '16 at 11:01
  • 1
    In fact, it's best that you don't pass the user password in plain text at all. If this is on a web site, you should do the sha1 hashing using Javascript and send it already hashed. Then comparison is very easy. – RealSkeptic Dec 15 '16 at 11:08
  • @RealSkeptic So a MIM can just grab the hash instead of the password? Thats exactly as secure as sending the plaintext password. – Durandal Dec 15 '16 at 19:02
  • @Durandal Not exactly. Consider social engineering. If you know the plaintext password, it is likely the same on other services the same user uses, which may use a different hash algorithm. But of course, in a real life situation, you salt the password with a challenge. In fact, you salt it twice - for storage and for each login. – RealSkeptic Dec 16 '16 at 20:20

2 Answers2

1

SHA1 is a hash algorithm, which means that it is one-way. You can't get the original message after hashing it. Unlike encryption which is two-way (allows encryption and decryption).

This means that if you want to compare a hash, you don't try to get the original message. Instead, you hash the message-to-be-compared as well, then you perform the match:

So if the hashed pw is stored as:

String pass = "f6ce584e7b4ff5253eed4a2ea2b44247";

To match the subsequent input of the password, you do:

//check if hashed userInput is also "f6ce584e7b4ff5253eed4a2ea2b44247"
if(pass.equals(sha1(userInput))){          
    //do whatever
}

To implement a sha1() hash function, refer to: Java String to SHA1

Community
  • 1
  • 1
user3437460
  • 17,253
  • 15
  • 58
  • 106
0

To get your hashcode:

public static byte[] sha1(byte[] data)
Calculates the SHA-1 digest and returns the value as a byte[].
Parameters:
data - Data to digest
Returns:
SHA-1 digest

Found these at https://commons.apache.org/proper/commons-codec/apidocs/org/apache/commons/codec/digest/DigestUtils.html#sha1Hex(java.lang.String)

This helps your process.

import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

import org.apache.commons.codec.binary.Base64;
import org.bouncycastle.jcajce.provider.asymmetric.rsa.DigestSignatureSpi.SHA1;

public class SHA1_test {

    public static String sha1(String s, String keyString)
            throws UnsupportedEncodingException, NoSuchAlgorithmException,
            InvalidKeyException {

        SecretKeySpec key = new SecretKeySpec((keyString).getBytes("UTF-8"),
                "HmacSHA1");
        Mac mac = Mac.getInstance("HmacSHA1");
        mac.init(key);

        byte[] bytes = mac.doFinal(s.getBytes("UTF-8"));

        return new String(Base64.encodeBase64(bytes));

    }

    public static void main(String[] args) throws InvalidKeyException,
            UnsupportedEncodingException, NoSuchAlgorithmException {
        Boolean validate = false;
        String code = sha1("admin", "123456");
        String your_user_inputString = "testpassword";

        if (code.equals(sha1(your_user_inputString, "123456"))) {
            System.out.println("Correct");
        } else {
            System.out.println("Bad password");
        }

    }

}

This works!!!

KishanCS
  • 1,357
  • 1
  • 19
  • 38