One Way Password Encryption Using Java

Wonder how your passwords are generally stored by the web applications? One thing for sure, they are not stored as plain text, if the developers out there care about your password security. In this little Java Tutorial, I would like to demonstrate how to generate an encrypted password that can be stored in the database and is safe. I will show how the change in encryption algorithm and encoding affects the generation of the encrypted password. There are varieties of encrypting algorithms, I am using SHA and MD5.

/**
 * @Author Kushal Paudyal
 * http://www.sanjaal.com/java
 * Last Modified On 2009-04-28
 */
package com.kushal.utils;

import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import sun.misc.BASE64Encoder;

public final class MyPasswordEncrypt {
	public static synchronized String encrypt(String plaintext,
			String algorithm, String encoding) throws Exception {
		MessageDigest msgDigest = null;
		String hashValue = null;
		try {
			msgDigest = MessageDigest.getInstance(algorithm);
			msgDigest.update(plaintext.getBytes(encoding));
			byte rawByte[] = msgDigest.digest();
			hashValue = (new BASE64Encoder()).encode(rawByte);

		} catch (NoSuchAlgorithmException e) {
			System.out.println("No Such Algorithm Exists");
		} catch (UnsupportedEncodingException e) {
			System.out.println("The Encoding Is Not Supported");
		}
		return hashValue;
	}

	public static void main(String args[]) throws Exception {
		String plainPassword = "SecretPassword";

		System.out.println("PlainTexttAlgotEncodingtEncrypted Password");
		System.out.println(plainPassword + "tSHAtUTF-8t"
				+ encrypt("MySecretPassword", "SHA", "UTF-8"));
		System.out.println(plainPassword + "tSHA-1tUTF-16t"
				+ encrypt("MySecretPassword", "SHA-1", "UTF-16"));
		System.out.println(plainPassword + "tMD5tUTF-8t"
				+ encrypt("MySecretPassword", "MD5", "UTF-8"));
		System.out.println(plainPassword + "tMD5tUTF-16t"
				+ encrypt("MySecretPassword", "MD5", "UTF-16"));

	}
}

—————————————————-
Here is the output of this program. Note the different
Encrypted Passwords for the same Plain Text Password
—————————————————

PlainText	        Algo	   Encoding	Encrypted Password
SecretPassword	SHA	   UTF-8	lScpxhyrfgHktfW6e5WDDSB190s=
SecretPassword	SHA-1  UTF-16	NfsACTQRTvkEV5kzrDY55vQR1ec=
SecretPassword	MD5	   UTF-8	cxWgEuytEFmjY0+L4TR4Rg==
SecretPassword	MD5	   UTF-16	JulkQ6YpxzLMlpIgU28xmg==

————————————————–

If you are interested in understanding what is SHA /MD5 and UTF Encoding, read below:

SHA
The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm. The three SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, and SHA-2. The SHA-2 family uses an identical algorithm with a variable digest size which is distinguished as SHA-224, SHA-256, SHA-384, and SHA-512.

SHA-1 is the best established of the existing SHA hash functions, and is employed in several widely used security applications and protocols. In 2005, security flaws were identified in SHA-1, namely that a possible mathematical weakness might exist, indicating that a stronger hash function would be desirable. Although no attacks have yet been reported on the SHA-2 variants, they are algorithmically similar to SHA-1 and so efforts are underway to develop improved alternatives. A new hash standard, SHA-3, is currently under development the function will be selected via an open competition running between 2008 and 2012. [From Wikipedia. See License Terms]

MD5
In cryptography, MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files. However, it has been shown that MD5 is not collision resistant; as such, MD5 is not suitable for applications like SSL certificates or digital signatures that rely on this property. An MD5 hash is typically expressed as a 32 digit hexadecimal number.

MD5 was designed by Ron Rivest in 1991 to replace an earlier hash function, MD4. In 1996, a flaw was found with the design of MD5. While it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1 (which has since been found vulnerable). In 2004, more serious flaws were discovered, making further use of the algorithm for security purposes questionable. In 2007 a group of researchers including Arjen Lenstra described how to create a pair of files that share the same MD5 checksum. In an attack on MD5 published in December 2008, a group of researchers used this technique to fake SSL certificate validity. [From Wikipedia. See License Terms]

UTF
UTF Stands for Unicode Transformation Format. It is one of the method of character encoding for unicode.