1 2 Previous Next 24 Replies Latest reply: Dec 27, 2008 6:58 AM by 843785 RSS

    Hashing

    801478
      How can we encrypt a string through hashing, and also how can we verify that encrypted value is correct or not.

      Assume that,

      String data = "happy christmas";

      byte[] data1 = data.getBytes();
      MessageDigest m = MessageDigest.getInstance("MD5");
      m.reset();
      m.update(data1);
      byte[] s = m.digest();
      String result = "";
      for (int i = 0; i < s.length; i++) {
      result += Integer.toHexString((0x000000ff & s) | 0xffffff00).substring(6);
      }
      System.out.println("Value : "+result);

      The above code will display the encrypted data of "happy christmas" string.
      Here we can not decrypt in this so how can we verify encrypted with given password that value is correct or not.
        • 1. Re: Hashing
          3004
          Hashing is one way. You can't un-hash something.

          If you want to check if somebody entered the right password, for example, you hash what they entered and compare that to the hash of the original.
          • 2. Re: Hashing
            801478
            Thanks budy.. I got it. But in DES, DESede, RSA we are using key for both(encryption & decryption). In here whatever we hashing second time its same as first hash value. So how can we find out which is original data, which is password data.
            • 3. Re: Hashing
              843785
              shashikumar wrote:
              But in DES, DESede, RSA we are using key for both(encryption & decryption). In here whatever we hashing second time its same as first hash value. So how can we find out which is original data, which is password data.
              You can't reverse the calculation that happens during hashing, that's pretty much the entire point of hashing.

              The only way you can get at the original data is to guess what it could be, hash that and check if you get the same hash. And that takes quite some time.
              • 4. Re: Hashing
                801478
                No budy. I asking about when you are going to run below coding, it will print same value for "Happy christmas" & only "christmas". How its possible both are different data but its giving same hash value.

                try {
                               String data = "happy christmas";
                               System.out.println("Orginal data : "+data);
                          byte[] data1 = data.getBytes();
                               MessageDigest m = MessageDigest.getInstance("MD5");
                               m.reset();
                               m.update(data1);
                               byte[] s = m.digest();
                               String result = "";
                          for (int i = 0; i < s.length; i++) {
                          result += Integer.toHexString((0x000000ff & s) | 0xffffff00).substring(6);
                          }
                               System.out.println("Value : "+result);
                               
                               String data2 = "christmas";
                               System.out.println("Password data : "+data2);
                          byte[] data21 = data2.getBytes();
                               MessageDigest m1 = MessageDigest.getInstance("MD5");
                               m1.reset();
                               m1.update(data21);
                               byte[] s1 = m1.digest();
                               String result1 = "";
                          for (int i = 0; i < s1.length; i++) {
                          result1 += Integer.toHexString((0xff & s[i]) | 0xffffff00).substring(6);
                          }
                               System.out.println("Value : "+result1);
                               
                               System.out.println("result : ");
                               if (result1.equals(result))
                                    System.out.println("true");
                               else
                                    System.out.println("false");
                               } catch (NoSuchAlgorithmException e) {
                                    e.printStackTrace();
                               }

                O/P

                Orginal data : happy christmas
                Value : d18c4ca0363e0e7176f23cf637107583
                Password data : christmas
                Value : d18c4ca0363e0e7176f23cf637107583
                result :
                true

                if its working same hash function also it should give different value right.
                • 5. Re: Hashing
                  801478
                  Hashing function verification
                  • 6. Re: Hashing
                    843785
                    Hi, and happy Christmas [belated]!

                    I am just testing your code example - just some comments:

                    Please put all source code into code tags, like so:
                    foo = bar;
                    This makes it easier to read it. Thx.

                    Also, your code contains two classes, "MessageDigest" and "NoSuchAlgorithmException". My IDE proposed two import statements:
                    import java.security.MessageDigest;
                    import java.security.NoSuchAlgorithmException;
                    Are these correct? Or did you get those classes from elsewhere?
                    • 7. Re: Hashing
                      3004
                      shashikumar wrote:
                      No budy. I asking about when you are going to run below coding, it will print same value for "Happy christmas" & only "christmas". How its possible both are different data but its giving same hash value.
                      Because hashing is a lossy function. Google pigeonhole principle.

                      Or better yet, think about it for 2 seconds. You're taking an arbitrarily long string and summarizing it in a fixed number of bits. If it's not obvious that different inputs will yield the same output, you might want to consider giving up programming.
                      • 8. Re: Hashing
                        843785
                        Hi again! This time no "Happy Christmas", but a "Merry New Year".

                        First of all, the puzzling identical results: In both sections you are using the same variable to retrieve the hash. In the section which hashes "happy christmas", your hash is retrieved using:
                        String result = "";
                        for (int i = 0; i < s.length; i ++ )
                        {
                            result += Integer.toHexString ((0x000000ff & s ) | 0xffffff00).substring (6);
                        }
                        And in the section hashing "christmas", your hash is retrieved using:
                        String result1 = "";
                        for (int i = 0; i < s1.length; i ++ )
                        {
                        result1 += Integer.toHexString ( (0xff & s [i]) | 0xffffff00).substring (6);
                        }
                        If you look closely than you can see that in both cases you are using the same variable "s" within the for loop. After changing "s" to "s1" in the second part, I get a different outcome:
                        Orginal data : happy christmas
                        Value : d18c4ca0363e0e7176f23cf637107583
                        Password data : christmas
                        Value : 3d4fe7a00bc6fb52a91685d038733d6f
                        result :
                        false
                        This, and the fact that both parts contain near identical code, denotes to me that you were in the midst of some hair-pulling-out debugging session using those desparate why-does-that-stupid-thing-not-work!!! cutting-and-pasting stints. I had those in the past, kindly accept my empathy. Practical advice - in those cases when you feel like throwing your computer out of the window, take a break, have some coffee. Breaks are great for your productivity :)
                        
                        Then, I should say that the code in the for loop is a tad complex. I looked up on thar ol' intarweb using my friend google with the search term "java.security.messagedigest" and struck gold with the third search result,  [http://www.jguru.com/faq/view.jsp?EID=3822]. This lead me to a simplification of your code:
                        result += Integer.toHexString (0xff & s [i]);
                        instead of
                        result += Integer.toHexString ((0x000000ff & s [i]) | 0xffffff00).substring (6);
                        With that I get the same result:
                        Orginal data : happy christmas
                        Value : d18c4ca0363ee7176f23cf637107583
                        Password data : christmas
                        Value : 3d4fe7a0bc6fb52a91685d038733d6f
                        result :
                        false
                        Concerning the hash result, I did an md5 hash of your two strings using a console session (bash on linux):
                        $ echo "christmas" | md5sum
                        604bd43544310d88b4408365f0cfc165 -
                        $ echo "happy christmas" | md5sum
                        e9883a6416794f15887db158991cfa8f -
                        Note that both hashes are different. And it's not the quotes either:
                        $ echo christmas | md5sum
                        604bd43544310d88b4408365f0cfc165 -
                        $ echo happy christmas | md5sum
                        e9883a6416794f15887db158991cfa8f -
                        Bit strange to me - I don't think that Sun's implementation of MD5 is faulty, neither the md5sum program, so I don't know.
                        
                        Edited by: Salaynius on Dec 27, 2008 12:08 PM                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
                        • 9. Re: Hashing
                          3004
                          Salaynius wrote:
                          Hi again! This time no "Happy Christmas", but a "Merry New Year".
                          So, um, what point are you trying to make?

                          The simple fact is that billions, trillions, untold bozillions of strings will produce the same hash, regardless of whether it's MD5, or SHA1 or some radical new hash that you invent yourself.

                          I just want to make sure--because you're kind of leaving me wondering so far--you do realize that it is IMPOSSIBLE for each string to have a unique hash, right?

                          EDIT: P.S., you also know that for any two arbitrary string you pick, there is a very, very high probability that their respective hashes will be completely different, right?

                          Edited by: jverd on Dec 27, 2008 4:15 AM
                          • 10. Re: Hashing
                            843785
                            Another point: From the other posts in this thread I seem to get the impression that there's some confusion about what a hash is supposed to do. A hash is a one-way function which creates a checksum of fixed length from any given input. One-way means that you can get the hash value from the given input, but you cannot reconstruct the input from a given hash value. The term "encryption" is incorrect here, because with encryption you can get the original input from a given encrypted text. However, You seem to use the hash in the correct way - test whether a user gave a correct password by comparing the hash of what the user submitted with the hash of the real password.

                            Please note that this scheme is insecure. Suppose you store hashes of passwords in a file:
                            sally, 604bd43544310d88b4408365f0cfc165
                            john, e9883a6416794f15887db158991cfa8f
                            fred, 604bd43544310d88b4408365f0cfc165
                            Oops! Sally and Fred have the same hash, that's too bad! Arthur, the mega hacker from the 0xHax0r_empire just got hold of the password file and finds some identical hashes to his joy (it's Christmas, so why not make him happy). So he mounts a dictionary attack and finds after some milliseconds ([http://mobile.slashdot.org /firehose.pl?id=1294559&op=view]) that "604bd43544310d88b4408365f0cfc165" corresponds to "christmas". He's overjoyed, because he now knows Sally's and Fred's password!

                            So what can we do to make Arthur less happy? Lets use some salt
                            user: sally
                            password: christmas
                            salt: q9fwty
                            password+salt: q9fwtychristmas
                            md5 hash: 0959e80bb4a6948cc80c3ef034598e93
                            
                            user: john
                            password: happy christmas
                            salt: e7atrd
                            password+salt: e7atrdhappy christmas
                            md5 hash: bffaff4ea9620aeba195dec6b236f519
                            
                            user: fred
                            password: christmas
                            salt: gt52lk
                            password+salt: q9fwtychristmas
                            md5 hash: 2cd9e82de5a58decf7b6d7be016de618
                            Even though both, Sally and Fred, have the same password (shame on them) they still have different hashes. The password file would look somewhat like this:
                            sally, q9fwty, 0959e80bb4a6948cc80c3ef034598e93
                            john, e7atrd, bffaff4ea9620aeba195dec6b236f519
                            fred, gt52lk, 2cd9e82de5a58decf7b6d7be016de618
                            So, it's not so much of a happy Christmas for Arthur, after all. Sorry, Arthur, have a virtual lollipop.

                            For more on salt, I found an article which explains it pretty well.
                            You may also find this wikipedia article (on challenge response) helpful.

                            I hope this helps! Happy programming!
                            • 11. Re: Hashing
                              801478
                              Hi Salaynius you got exact thing... thanks for your reply... can u explain me one more thing. how can i verify in receiver side, those received data(salt+password) is correct one or not. It may be server side also.
                              • 12. Re: Hashing
                                843785
                                jverd wrote:
                                Salaynius wrote:
                                Hi again! This time no "Happy Christmas", but a "Merry New Year".
                                So, um, what point are you trying to make?
                                Sorry, just my querky sense of humor. Didn't really want to make any point here.


                                >
                                The simple fact is that billions, trillions, untold bozillions of strings will produce the same hash, regardless of whether it's MD5, or SHA1 or some radical new hash that you invent yourself.
                                I just want to make sure--because you're kind of leaving me wondering so far--you do realize that it is IMPOSSIBLE for each string to have a unique hash, right?
                                EDIT: P.S., you also know that for any two arbitrary string you pick, there is a very, very high probability that their respective hashes will be completely different, right?
                                Thanks for raising this. You are hinting at what's called 'hash collision', i.e. two different inputs yielding the same hash. Some hash functions have been compromised already, with MD5 being [one of them|http://th.informatik.uni-mannheim.de/People/lucks/HashCollisions/]. So, I'd avoid using MD5 and switch to sha512 instead. So, yes you are right, it's impossible to find a hash which yields a unique value for every possible input. But, as you said, it's very unlikely that two inputs yield the same hash.
                                • 13. Re: Hashing
                                  843785
                                  shashikumar wrote:
                                  Hi Salaynius you got exact thing... thanks for your reply... can u explain me one more thing. how can i verify in receiver side, those received data(salt+password) is correct one or not. It may be server side also.
                                  My pleasure! For the authentication scheme using salt and hash, read the aforementioned article, especially [part four|http://www.developerfusion.com/article/4679/you-want-salt-with-that/4/]. The author explains it in better words than I can.
                                  • 14. Re: Hashing
                                    801478
                                    hi budy leave that one. thats my mistake. i used same variable name in two places. but now i want to very receiver side or in server side, receiving data is correct or not. in hashing we cant decrypt i know that one. so how can i check those data or correct or not in receiver side.
                                    1 2 Previous Next