Symfony FOSUser Hash algorithm in java

Question

hey everyone am trying to find out which algorithm of hash is used my symfony FOS User Bundle I've done some research , and it's mentioned that FOSUser Bundle default security config uses Sha512() and itirate it over 5000 times + salt then bas64 encoding i'm actually new with these hash algorithms ,however this is the algorithm in php

$password = 'toto';
$salt = '1234';
$salted = $password.'{'.$salt.'}';
$digest = hash('sha512', $salted, true);

for ($i=1; $i<5000; $i++) {
  $digest = hash('sha512', $digest.$salted, true);
}

$encodedPassword = base64_encode($digest); 
}

taking from this post How do I generate a SALT in Java for Salted-Hash?

since am not familiar with java hash libraries can anyone help me how to translated this code into Java !

could you be more clear , do you need this for login ? – Kamel Mili Mar 29 '17 at 10:32 — Kamel Mili, Mar 29 '17 at 10:32
thanks for answering actually i want to login from java app – Safa Belkaab Mar 29 '17 at 10:33 — Safa Belkaab, Mar 29 '17 at 10:33

Zain Elabidine · Answer 1 · 2019-09-25T15:39:30.847

The solution is to use a Java API that encode the password like the MessageDigestPasswordEncoder:

Generate a salt (lenght=43):

private static String generateSalt() {
SecureRandom random = new SecureRandom();
byte[] salt = new byte[SALT_SIZE];
random.nextBytes(salt);
String saltBase64_encoded=BaseEncoding.base64().encode(salt);
String saltPlusDot= saltBase64_encoded.replace("+",".");
return saltPlusDot.substring(0,saltPlusDot.length()-1);

}

BaseEncoding.base64() is a class in commons-codec api

concat: password + { + salt + }:

private static String mergePasswordAndSalt(String pass, String salt) {
if (salt == null) {
    return salt;
}
String cg="{";String cd="}";
return pass+cg+salt+cd;

}

For each additional iteration: hash the concat of previous digest + salt:

private static byte[] encodePassword(String password,String salt) throws NoSuchAlgorithmException,UnsupportedEncodingException {

    String mergedPasswordAndSalt =mergePasswordAndSalt(password, salt);  
    MessageDigest digester = MessageDigest.getInstance(ALGORITHM);

    byte[] hash = digester.digest(mergedPasswordAndSalt .getBytes("UTF-8"));

    for (int i = 1; i < ITERATIONS; ++i) {


     hash = digester.digest(Bytes.concat(hash, mergedPasswordAndSalt.getBytes("UTF-8")));   

    }
        return hash;
    }

Bytes.concat(bytes ...) is a method in guava 19.0 api

This is the API in github FOSJcrypt

score -1 · Accepted Answer · answered Mar 29 '17 at 10:41

Symfony default setting for password encryption is Bcrypt this code mentioned in your security.yml config file

encoders:
    Symfony\Component\Security\Core\User\User:
        algorithm: bcrypt
        cost:      15

in my case i used a trick since all my password start with 13 am assuming that the salt equals to 13 so i tried translating it into java by using the java BCrypt library

public boolean checkPassword(String passwordText, String DbHash) {
    boolean password_verified = false;
    if (null == DbHash || !DbHash.startsWith("$2a$")) {
        throw new java.lang.IllegalArgumentException("Invalid hash provided for comparison");
    }
    password_verified = BCrypt.checkpw(passwordText, DbHash);
    return (password_verified);
 }

passwordText you actual password , DbHash stored hash

This code check a password hash if password match or not

there's a trick symfony hashed password start with $2y$ so to make this work you need to need change $2y$ to $2a$

for exemple i have password with a hash value that is stored in my database

String passwordText = "admin"; 
String DbHash  = "$2y$13$VVmaKXzaS2QWgU1S4I8h5eJgC/DduF2fXmnhvcynro004GCUAQfr2";

change this :

String DbHash  = "$2y$13$VVmaKXzaS2QWgU1S4I8h5eJgC/DduF2fXmnhvcynro004GCUAQfr2";

to this :

String DbHash  = "$2a$13$VVmaKXzaS2QWgU1S4I8h5eJgC/DduF2fXmnhvcynro004GCUAQfr2";

Thank you so all i need to add is to change the 3rd char with `a` — Safa Belkaab, Mar 29 '17 at 10:52

Symfony FOSUser Hash algorithm in java

2 Answers2