Salting and hashing passwords, Java and PHP compatibility

Question

I'm trying to make a game that will tie into website content, and users' accounts will be shared across the site multiple versions of the client.

The problem is that the password needs to be salt-hashed in PHP , and I need to be able to verify through Java , and I can't find any information on secure cryptos (like PBKDF2 ) and ensuring that the generation is identical between PHP and Java .

I've seen some info on using PBKDF2 on PHP , OR Hmac with SHA-1 , but not combining them as is suggested in the name of Java's " PBKDF2WithHmacSHA1 ". I have a handle now on the individual hashing for PHP or Java .

How do I set up the methods to be able to generate a salt and hash on PHP , store it in MySQL and be able to verify passwords through Java's hashing functions?

Would prefer to stick with PBKDF2 , if at all possible (unless someone can suggest an equivalent that would work better for cross-compatibility).

PS Not particularly sure whether this deserved to be here or on Crypto SE. I figured, since I was asking about specific languages, I'd try here first.

Answer 1

So, it turns out it wasn't as complicated as I was thinking it was. I found this question that said that PHP 's equivalent to Java 's PBKDF2WithHmacSha1 was the hash_pbkdf2 function with the sha1 algorithm. From there it was just a matter of transferring the salt and hash from the PHP to the Java . Here's how it ended up:

1) PHP : For this one, I just copied the guy's pbkdf2 function and generated the salt and hash like he did.

2) Java : All that needed to happen was a bit of a change in the bytecode conversion, and it worked just fine.

After that, all I needed to do was modify the Java code to fit into my server/client setup (including secondary session hashing), and work out a few more bugs surrounding more salt and hash encoding and decoding through network transmission, and it works perfectly now.

A slightly more detailed answer is available on that other question.

Answer 2

Try to consider using a pre-built user and password management like JBoss KeyCloak . It is based on standards like OAuth2 and OpenID Connect, and things like password reset, user registration and social login come for free. It includes connectors for Java and JavaScript. Apparently connectors for PHP are available as well.