android sha512 example

生来就可爱ヽ(ⅴ<●) 提交于 2019-12-18 12:03:09

问题


  1. Can someone provide an example for java/android on how to hash a password using PW_HASH_ITERATION_COUNT iterations of sha512 + salt?

    in pseudo code:

    hash = sha512(concat(pw,salt));
    for (i = 1; i<PW_HASH_ITERATION_COUNT; i++){
        hash = sha512(concat(hash,concat(pw,salt)));
    }
    

    Where z = concat(x,y) is the concatenation of x and y.

    Maybe using MessageDigest ?

  2. What would you suggest as PW_HASH_ITERATION_COUNT? How many iterations would be the maximum so that this might even run on some older devices (2.1+)

UPDATE UPDATE UPDATE

Due to good reasons, we will use bcrypt to encrypt our passwords. We use the jBCrypt implementation.

Anyway.. to answer the question... this is the code for the question above to use SHA-512 with the MessageDigest:

import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import de.seduceme.utils.Base64;

public class PwStorage {
    public static int PW_HASH_ITERATION_COUNT = 5000;
    private static MessageDigest md;

    public static void main(String[] args) {
        String pw = "teüöäßÖst1";
        String salt = "e33ptcbnto8wo8c4o48kwws0g8ksck0";

        try {
            md = MessageDigest.getInstance("SHA-512");
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
            throw new RuntimeException("No Such Algorithm");
        }

        String result = PwStorage.hashPw(pw, salt);
        System.out.println(result);
        // result: 2SzT+ikuO9FBq7KJWulZy2uZYujLjFkSpcOwlfBhi6VvajJMr6gxuRo5WvilrMlcM/44u2q8Y1smUlidZQrLCQ==
    }


    private static String hashPw(String pw, String salt) {
        byte[] bSalt;
        byte[] bPw;

        try {
            bSalt = salt.getBytes("UTF-8");
            bPw = pw.getBytes("UTF-8");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("Unsupported Encoding", e);
        }

        byte[] digest = run(bPw, bSalt);
        for (int i = 0; i < PW_HASH_ITERATION_COUNT - 1; i++) {
            digest = run(digest, bSalt);
        }

        return Base64.encodeBytes(digest);
    }

    private static byte[] run(byte[] input, byte[] salt) {
        md.update(input);
        return md.digest(salt);
    }
}

With this Base64 lib.


回答1:


Read my post here, especially the post I linked to about password hashing.

  • You should ideally use bcrypt or scrypt rather than doing your own password hashing.
  • But if you must, you should run for a few thousand iterations at the minimum, preferably more.

Yes, you can use MessageDigest for SHA-512. Each time you call digest, the state of the object automatically resets, which is really handy---you can start updating for the next iteration straight away.

But I still think you should use bcrypt or scrypt instead. For your own good, and the good of your users. :-)




回答2:


a HMAC is found to be sufficient for what you wanna do and it does only 2 iterations

it boils down to

hash = sha512(concat(xor(salt,nonce2),sha512(concat(xor(salt,nonce1),pw)));


来源:https://stackoverflow.com/questions/6393292/android-sha512-example

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!