Solved

Digest

Posted on 2004-04-26
25
501 Views
Last Modified: 2010-03-31
Hello, I have a question please.

Is the digest method from the standard java (1.4 and later) is JVM dependent ???

What I mean. I use the digest to keep my passwords at the db somehow.
Is this going to be compatible to other JVM's ? For example if I change a cluster. The records will be the same but the JVM different.

Any ideas about how the method is being implemented ???
Thank you in advance.
0
Comment
Question by:pouli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 9
  • 7
25 Comments
 
LVL 86

Expert Comment

by:CEHJ
ID: 10920349
>>Is this going to be compatible to other JVM's ?

In short yes. A digest generated in 1.5 will be the same as one generated in 1.4
0
 

Author Comment

by:pouli
ID: 10920497
No matter the JVM's ???


What have you say about the 1.3?
Is it going to work ??
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 10920525
Where you are able to use MessageDigest at all, the same algo should return the same digest of an identical source
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 

Author Comment

by:pouli
ID: 10920580
Do you think that there is a problem because I save the digest as a string to the DB.

and then when I want to reconstruct it I read it as a UTF-8 and make the comparison ???
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 10920635
What you should probably do is save it as a String by saving the hex value of the array. Although there *should* be the same de/encoding procedures, i would not bank on it for ever, but also i don't like the idea of attempting to encode an array that may be entirely invalid as a UTF-8 String. Yet another reason to go hex is that you've got a human-readable representation of the hash value ready to hand. Obviously, make sure that 0-padding is used.
0
 

Author Comment

by:pouli
ID: 10920751
Please, give me an example.
0
 
LVL 86

Accepted Solution

by:
CEHJ earned 50 total points
ID: 10920828
You could use this on the digest byte array:

      public static String byteArrayToHexString(byte[] rawBytes) {
            StringBuffer sb = new StringBuffer(rawBytes.length * 2);
            for (int i = 0; i < rawBytes.length; i++) {
                  String s = Integer.toHexString(rawBytes[i] & 0xFF);
                  if (s.length() == 1) {
                        // leading zero
                        sb.append('0');
                  }
                  sb.append(s);
            }
            return sb.toString();
      }
0
 

Author Comment

by:pouli
ID: 10920881
ok One question
why do you
rawBytes[i] & 0xFF

filter the byte with & 0xFF

and what are u doing wihth the length ???
 if (s.length() == 1) {
                    // leading zero
                    sb.append('0');


Actually everything  :)
please
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 10920935
>>why do you  rawBytes[i] & 0xFF

Because bytes are signed in Java. You need to 'unsign' it and that's what that does.

>>and what are u doing wihth the length ???

As i mentioned, you need to 0-pad the result or you'll get varying lengths returned for a 32 bit digest, depending on the values contained in each element of the array
0
 
LVL 92

Expert Comment

by:objects
ID: 10922796
whats your problem exactly?
0
 

Author Comment

by:pouli
ID: 10925769
The problem objects is that the same algorithm works under the same JVM and specific under 1.3

but when you run it under other JVM (ver 1.4) then it doesn't.
I will try the CEHJ's way and I will tell you again what the result is
0
 
LVL 92

Expert Comment

by:objects
ID: 10925797
post the code you currently use to store and retrieve your digest.
0
 
LVL 92

Expert Comment

by:objects
ID: 10925934
sounds like you need to use Base 64 encoding. Lots of implementations around, even one from Sun.
Let me know if u need more info.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 10928404
Base64 encoding is not a good idea. All it does is provide an encodable String from the digest. You can get the same effect by rendering the digest as a hex string *and* it's human readable without further decoding
0
 

Author Comment

by:pouli
ID: 10930019
Sorry, about my absence. ISP problems.

Problem has been solved CEHJ your code was perfect thank you.

Objects my I wanted to be difficult for somebody to read the passwprd from the DB and the Base64 is not the solution.

The algo is like this
1. take the curretn time
2. save the digest of the password  + currentime to a field
3. save current time to othe rfield as well.

Now when we want to check if the code is right we reconstruct the password in the opposite way:
1. read the timestap
2. Concatenate it with the password
3. Digest this
4. f it is the same with the one stored at the db then that's it The password is right otherwise it is wrong.\

That way there is no way to reverse the digest to see the password.
Except if somebody find a way to reverse a SHA-1 digest.

That's all my friends.

Talk u later
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 10930060
8-)
0
 
LVL 92

Expert Comment

by:objects
ID: 10934235
> Objects my I wanted to be difficult for somebody to read the passwprd from the DB and the Base64 is not the solution.

would have to disagree there
you're just reinventing the wheel really.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 10937235
>>you're just reinventing the wheel really.

You're missing the point - it doesn't have to be encrypted twice and should be human readable
0
 

Author Comment

by:pouli
ID: 10942373
Sorry, that I haven't answered but I cannot see my Yahoo emails, I just think that you may have post a comment.

Now, to our subject.

--Objects--
Why am I reinveting the wheel ?
As far as I know Base64 does not use any key right ???
So everybody can read the pass + timestamp from the db right ???

Now, with the algorithm that we are talking about noboy can read the password unless he/she knows the keyword.

Only then he can make the same Digest, thus authenticated himself with the system.
Otherwise not.

Please ask me what is the point that you do not fully understand.

0
 
LVL 92

Expert Comment

by:objects
ID: 10943933
> As far as I know Base64 does not use any key right ???
> So everybody can read the pass + timestamp from the db right ???

No, you use Base64 to encode the digest into a string.

0
 

Author Comment

by:pouli
ID: 10947126
Ahh right. sorry objects. Now I have understoof what you mean by reinventing the wheel.

Yes you may be right although I haven't tried this.
Anyway seems that it works the way CEHJ post it to me and this is how we included it to our code.
No time for changes now.

Both ways are right and makes the job.

Thank you for the input objects.
0
 
LVL 92

Expert Comment

by:objects
ID: 10947146
No worries :)

u know where to find me when you have anymore questions.
0
 

Author Comment

by:pouli
ID: 10948404
Hey people could you please have a look. I think that I have posted this to the wrong category

http://www.experts-exchange.com/Databases/Oracle/Q_20971967.html

It is more Ant related
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 10948517
>>Ahh right. sorry objects. Now I have understoof what you mean by reinventing the wheel.

Then there are now two people here that have not got the point ;-) The point is, you don't generally want digests in a format that's not human-readable - it just makes things difficult. If you go to download sites that have proper implementations where they show the MD5 hash of the file, you don't get that in Base64, you get the String representation, so you can see what it is and use it and manipulate it more portably
0
 
LVL 92

Expert Comment

by:objects
ID: 10954630
Sounds like there just 1 who's missing the point here :D
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java contains several comparison operators (e.g., <, <=, >, >=, ==, !=) that allow you to compare primitive values. However, these operators cannot be used to compare the contents of objects. Interface Comparable is used to allow objects of a cl…
Introduction This article is the last of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers our test design approach and then goes through a simple test case example, how …
Viewers learn how to read error messages and identify possible mistakes that could cause hours of frustration. Coding is as much about debugging your code as it is about writing it. Define Error Message: Line Numbers: Type of Error: Break Down…
This tutorial will introduce the viewer to VisualVM for the Java platform application. This video explains an example program and covers the Overview, Monitor, and Heap Dump tabs.

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question