0

I have a function:

public static String hashPassword(String pass) throws Exception {
     MessageDigest md = MessageDigest.getInstance("SHA1");
     return Base64.getEncoder().encodeToString(md.digest(pass.getBytes("UTF-8")));
}

I know the password is malazan2 and the stored value is oxloQ7JK1hmHw9FF8tai1n5TolY= I've tried converting from base64 butit doesn't reveal the sha1 hash

any ideas would be much appreciated on how to properly decode

Chance212
  • 31
  • 6
  • *it's just junk.* - no, when you decode the base64 string, you get binary data, the binary value of the hash. Binary data is not meant to be printed and therefore looks like gibberish when you try to display it. What did you expect to find? A hash can't be decoded, decrypted, "dehashed" or anything else. And even if it would be decryptable, with simple base64 decoding you would still get binary data that then would have to be decrypted before you get clear text. But again, a hash is just a one-way function. – jps Jan 04 '22 at 20:54
  • https://www.techsolvency.com/passwords/dehashing-reversing-decrypting/ – jps Jan 04 '22 at 20:55
  • The sole purpose of a hash function is, that it is a oneway function that is not reversible. And yes, converting the base64 encoded result of a hash function to its byte representation is not human readable. It's not necessarily junk, but it's not meant to be printed. – derpirscher Jan 04 '22 at 20:58
  • Thanks for the responses. I'm aware of the above, I'm trying to figure out how the code above produces the value given and how to reverse engineer it. I can't figure out how it goes from the cleartext to the stored value. – Chance212 Jan 04 '22 at 21:12
  • @Chance212 sorry, but that's not what I read in your question. What was the expected result when you got "junk" instead? Do you want to know how the hash is calculated, i.e. the algorithm? – jps Jan 04 '22 at 21:21
  • "how does it go from cleartext to the stored value"? First execute https://en.wikipedia.org/wiki/SHA-1 and on the result of that execute https://en.wikipedia.org/wiki/Base64 There is no need for "reverse engineering", both algorithms are well defined – derpirscher Jan 04 '22 at 21:55
  • @jps no problem it might be how I articulated the question. When I follow the steps in the code to encode malazan2 as B64 and pass through SHA1 as in the code snippet I get a different result to the actual stored value and vice versa. Whilst you can't "decrypt" the hash I should be able to end up with the same stored value. Am I following the code right e.g. malazan2 > b64>sha1? It's more of a sanity check really, I can't see anything else in the app that would be effecting the stored password. – Chance212 Jan 06 '22 at 12:09
  • @derpirscher Thanks, the value is different to the one specified in my question. Can you reopen the question as this isn't solved. – Chance212 Jan 11 '22 at 22:06
  • Base64 encoding was applied *after* SHA-1 to produce that string. – jasonharper Jan 11 '22 at 22:49
  • @jasonharper thanks either way decoding it from base64 doesn't reveal the sha1 – Chance212 Jan 11 '22 at 23:55
  • You're doing something wrong, then. SHA-1 of "malazan2" is 20 bytes of data that starts A3 19 68 43 (viewed in hexadecimal); Base64 decode of the given string are those exact 20 bytes. – jasonharper Jan 12 '22 at 00:17

0 Answers0