How do generated keys work?

123 views Asked by At

I generate a key and use the doFinal() from the cipher class to encrypt the password/username, now, when the user wants to login he inputs UN and PW then I take them what is the process I need to do so I compare the input to the database I saved the encrypted data in?

Writing this question I feel stupid but the truth is I am really new to this and my information could be remote from right so please move on to explaining and pass the what are you talking about part.

now the code I used :

 public class Safety {
    public static Users encryptUser(Users user){
        Users usera=user;
        try {
            KeyGenerator kg = KeyGenerator.getInstance("AES/CBC/PKCS5Padding");
            Key key=kg.generateKey();
            Cipher cipher=Cipher.getInstance("AES/CBC/PKCS5Padding");
            cipher.init(Cipher.ENCRYPT_MODE, key);
            String fNE=new String(cipher.doFinal(user.getFirstname().getBytes()),"UTF-8");
            String lNE=new String(cipher.doFinal(user.getLastname().getBytes()) , "UTF-8");
            String userNameE= new String(cipher.doFinal(user.getUsername().getBytes()),"UTF-8");
            String passWordE= new String(cipher.doFinal(user.getPassword().getBytes()),"UTF-8");
            String eME= new String(cipher.doFinal(user.getEmail().getBytes()),"UTF-8");
            String sQE= new String(cipher.doFinal(user.getsQ().getBytes()),"UTF-8");
            String sAE= new String(cipher.doFinal(user.getsA().getBytes()),"UTF-8");
            Users usere=new Users(fNE, lNE, userNameE, passWordE, eME, sQE, sAE, user.getUserID());
            return usere;
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
        catch(Exception e){
            e.printStackTrace();                
        }

        return usera;
    }

    public static String decryptuser(Users user){
       //what should I do here exactly? 
    }
}

after a little of research and work this is what i have come up with :

         public class Safety {
public static final String algorithm = "PBKDF2WithHmacSHA1";
public static final int saltbytesize = 24;
public static final int hashbytesize = 24;
public static final int iterations = 1000;
public static final int iIndex = 0;
public static final int sIndex = 1;
public static final int pbkIndex = 2;
    public static Users passwordHash(Users user) throws NoSuchAlgorithmException, InvalidKeySpecException{
        SecureRandom sR=new SecureRandom();
        byte[] pws=new byte[saltbytesize];
        sR.nextBytes(pws);
        byte[] pwh=pbkdf2(user.getPassword().toCharArray(),pws,iterations,hashbytesize);
        user.setPassword(toHex(pwh));
        byte[] sas=new byte[saltbytesize];
        sR.nextBytes(sas);
        byte[] sah=pbkdf2(user.getsA().toCharArray(),sas,iterations,hashbytesize);
        user.setsA(toHex(sah));
        user.setUserhash(pws);
        user.setSahash(sas);
        return user;
    }

    public static boolean hashpassword(String username,String password,Users user) throws NoSuchAlgorithmException, InvalidKeySpecException{
        byte[] pws=user.getUserhash();
        byte[] pwh=pbkdf2(password.toCharArray(),pws,iterations,hashbytesize);
        String searcher=toHex(pwh)+username;
        String searched=user.getPassword()+user.getUsername();
        if(searcher.equals(searched)){
            return true;
        }
        return false;
     }
    private static byte[] pbkdf2(char[] password, byte[] salt, int iterations, int bytes)
            throws NoSuchAlgorithmException, InvalidKeySpecException
        {
            PBEKeySpec spec = new PBEKeySpec(password, salt, iterations, bytes * 8);
            SecretKeyFactory skf = SecretKeyFactory.getInstance(algorithm);
            return skf.generateSecret(spec).getEncoded();
        }
    private static String toHex(byte[] array)
    {
        BigInteger bi = new BigInteger(1, array);
        String hex = bi.toString(16);
        int paddingLength = (array.length * 2) - hex.length();
        if(paddingLength > 0)
            return String.format("%0" + paddingLength + "d", 0) + hex;
        else
            return hex;
    }



     }

and this is great for now how ever id like to make it work with SHA512 how can i do that?

1

There are 1 answers

6
Jonathan Rosenne On BEST ANSWER

You should not encrypt the password, you should hash it with the user name and a salt.

See Why should I hash passwords?