LinkBack URL
About LinkBacks
Validation of user, fails ned a point in the right direction
1. sorry for spamming the forum with question lately, but this is kinda of important.
I have create a user and have used hashing and saltning to encrypt the password, but my authentication fails, and I can't see the reason please damn help:
package com.core.bibit.model; import org.hibernate.Session; import org.hibernate.SessionFactory; import org.hibernate.cfg.Configuration; import org.hibernate.service.ServiceRegistry; import org.hibernate.service.ServiceRegistryBuilder; import com.core.bibit.service.Security; public class TestHibernate { public static void main(String[] args) { Book b = new Book(); b.setTitle("Harry Potter"); b.setIsbn("John"); Book a = new Book(); a.setTitle("Lort"); a.setIsbn("454-45-454321"); User user = new User("tools", "test"); Configuration config = new Configuration(); config.configure(); ServiceRegistry sr = new ServiceRegistryBuilder().applySettings(config.getProperties()).buildServiceRegistry(); SessionFactory sessionFac = config.buildSessionFactory(sr); Session session = sessionFac.openSession(); session.beginTransaction(); session.save(b); session.save(a); session.save(user); session.getTransaction().commit(); System.out.println(Security.validateUser("tools", "test")); } }
package com.core.bibit.service; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.util.Arrays; import sun.misc.BASE64Decoder; import sun.misc.BASE64Encoder; public class Security { private final static int ITERATION_NUMBER = 1000; public static byte[] getHash(int iterationNb, String password, byte[] salt) throws NoSuchAlgorithmException, UnsupportedEncodingException { MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.reset(); digest.update(salt); byte[] input = digest.digest(password.getBytes("UTF-8")); for (int i = 0; i < iterationNb; i++) { digest.reset(); input = digest.digest(input); } return input; } public static String byteToBase64(byte[] data) { BASE64Encoder endecoder = new BASE64Encoder(); return endecoder.encode(data); } public static byte[] base64ToByte(String data) throws IOException { BASE64Decoder decoder = new BASE64Decoder(); return decoder.decodeBuffer(data); } public static boolean validateUser(String userName, String password){ boolean valid = false; Connection con = null; PreparedStatement ps = null; ResultSet rs = null; try{ Class.forName("com.mysql.jdbc.Driver"); con = DriverManager.getConnection("jdbc:mysql://localhost:8889/bibit?" + "user=root&password=root"); String query = "SELECT * FROM bibit.User WHERE username = ?"; ps = con.prepareStatement(query); ps.setString(1, userName); rs = ps.executeQuery(); String digest, salt; if(rs.next()){ digest = rs.getString("PASSWORD"); salt = rs.getString("SALT"); System.out.println("Digest: " + digest); System.out.println("Salt: " + salt); if(digest == null || salt == null){ System.out.println("IF1"); throw new SQLException("Database inconsistant Salt or Digested Password altered"); } if(rs.next()){ System.out.println("IF2"); throw new SQLException("Database inconsistent two CREDENTIALS with the same LOGIN"); } else{ System.out.println("IF3"); digest = "000000000000000000000000000="; salt = "00000000000="; //valid = false; } byte[] bDigest = base64ToByte(digest); byte[] bSalt = base64ToByte(salt); //compute digest byte[] proposedDigest = getHash(ITERATION_NUMBER, password, bSalt); System.out.println("Response: " + (Arrays.equals(proposedDigest, bDigest) && valid)); return Arrays.equals(proposedDigest, bDigest) && valid; } }catch(Exception e){ e.printStackTrace(); }finally{ try { rs.close(); ps.close(); con.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } return valid; } } }
Response console:
Digest: 2hCdREXiG9uFVIPCFTvC/FmbC6s= Salt: D4s0qZHPGVU= IF3 Response: false false
and I am following this guide from OWASP: https://www.owasp.org/index.php/Hashing_Java
Reply With Quote
Related threads: