stackoom
  简体   繁体   中英

java hash from “PBKDF2WithHmacSHA512” is differs from python CRYPT(digest_alg='pbkdf2(1000,20,sha512)', salt=True)(password)[0])

 原文  2017-04-21 11:45:06       java/ python/ sha512/ pbkdf2

Question

I have a database with passwords that are hashed using the following python code: 

result = str(CRYPT(digest_alg='pbkdf2(1000,20,sha512)', salt=True)(password)[0])

(details can be found here )

for password='123' it generates 

pbkdf2(1000,20,sha512)$b3c56f341284f4be$54297564f7a3be8c6e9c10b27821f8105e0a8120

I need to validate password using java. I use the following code: 

    validatePassword("123", "pbkdf2(1000,20,sha512)$b3c56f341284f4be$54297564f7a3be8c6e9c10b27821f8105e0a8120");



    private static boolean validatePassword(String originalPassword, String storedPassword) throws NoSuchAlgorithmException, InvalidKeySpecException
    {
        String[] parts = storedPassword.split("\\$");
        byte[] salt = fromHex(parts[1]);
        byte[] hash = fromHex(parts[2]);

        PBEKeySpec spec = new PBEKeySpec(originalPassword.toCharArray(), salt, 1000, hash.length * 8);
        SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
        byte[] testHash = skf.generateSecret(spec).getEncoded();

        System.out.println(toHex(testHash));
        System.out.println(toHex(hash));

        return true;
    }


    private static byte[] fromHex(String hex) throws NoSuchAlgorithmException
    {
        byte[] bytes = new byte[hex.length() / 2];
        for(int i = 0; i<bytes.length ;i++)
        {
            bytes[i] = (byte)Integer.parseInt(hex.substring(2 * i, 2 * i + 2), 16);
        }
        return bytes;
    }

    private static String toHex(byte[] array)
    {
        StringBuilder sb = new StringBuilder();
        for(int i=0; i< array.length ;i++)
        {
            sb.append(Integer.toString((array[i] & 0xff) + 0x100, 16).substring(1));
        }
        return sb.toString();
    }

but result is the following: 

80385948513c8d1826a3a5b8abc303870d41d794
54297564f7a3be8c6e9c10b27821f8105e0a8120

Please help what I am doing wrong?

1 answers

solution1
 3 ACCPTED  2017-07-30 20:05:00

There is kind of a "bug" in the code around web2py.

The hash LOOKS like a hex string, but it is sent to the hashlib.pbkdf2_hmac (a proxy to openssl's method) as just the character representation of the hex string. Meaning you should not use 

byte[] salt = fromHex(parts[1]);

but 

byte[] salt = parts[1].getBytes("utf-8");

In addition, you need to pass the KEYLENGTH instead of the salt length into PBEKeySpec's contructor.

The corrected part should read: 

byte[] salt = parts[1].getBytes("utf-8");
byte[] hash = fromHex(parts[2]);
PBEKeySpec spec = new PBEKeySpec(originalPassword.toCharArray(), salt, 1000, 20*8);

Replace that and the code works. It took a while to find this out ;)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PBKDF2WithHmacSHA512 Vs. PBKDF2WithHmacSHA1 PBKDF2WithHmacSHA512 SecretKeyFactory not available PBKDF2WithHmacSHA512 throwing NoSuchAlgorithmException PBKDF2WithHmacSHA512 Java equivalent in PHP for AES encryption SecretKeyFactory.getInstance(“PBKDF2WithHmacSHA512”) throws NoSuchAlgorithmException password protection using PBKDF2WithHmacSHA512 is taking lot of processing time on production setup(AWS) PBKDF2 - What happens when generating 1024 bits key length with SHA512? crypt(3) $6$ password hash algorithm (based on SHA-512) in Java? Java/Node PBKDF2 hash of the user password using the salt and the iteration count - Node Equivalent How to generate sha512 hash with a salt using command line?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM