Similar sha512 of php for android password login

Question

I have my php application where when I created the user I ran this.

    $random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
   // Create salted password 
    $userPwd = hash('sha512', $userPwd . $random_salt);

Next when I try to login upon the having captured the password I hash via this javascript p.value = hex_sha512(userPwdControl.value);

Then in the ran this

$hashPassword = hash('sha512', $userPassword . $row1['userSalt']);

All above codes works via php.

Now via my android I want to do this function p.value = hex_sha512(userPwdControl.value); to get the hash and I am trying out first via java codes as below. But I got empty results below.

StringBuffer stringBuffer = new StringBuffer();
         try {
                String message = "myPass";
                MessageDigest digest = MessageDigest.getInstance("512");
                byte[] hashedBytes = digest.digest(message.getBytes("UTF-8"));

                for (int i = 0; i < hashedBytes.length; i++) {
                    stringBuffer.append(Integer.toString((hashedBytes[i] & 0xff) + 0x100, 16)
                            .substring(1));
                }
                stringBuffer.toString();

            } catch (NoSuchAlgorithmException | UnsupportedEncodingException ex) {

            }
         System.out.println("TEST :"+stringBuffer);

score 2 · Accepted Answer · answered Dec 07 '16 at 05:21

2

Can you try the code below. Did some minor changes in your code.

        String resultString         =   "";
        try {
            byte[] buffer           =   password.getBytes();
            MessageDigest md        =   MessageDigest.getInstance("SHA-512");
            md.update(buffer);
            byte[] digest           =   md.digest();

            for(int i = 0 ; i < digest.length ; i++) {
                int b               =   digest[i] & 0xff;
                if(Integer.toHexString(b).length() == 1)
                    resultString    =   resultString + "0";
                resultString        =   resultString + Integer.toHexString(b);
            }
        } catch(NoSuchAlgorithmException e) {
            e.printStackTrace();
        }

answered Dec 07 '16 at 05:21

Febi M Felix

2,799
1
10
13

Yes its working where was my mistake? Another thing am I doing the correct thing for android flow? – user5313398 Dec 07 '16 at 05:27
See your algorithm name while creating MessageDigest instance. Also return a hex string inside and append to the buffer, which yours is just a string. – Febi M Felix Dec 07 '16 at 05:29
Can I use this in my android for login to my database which I can do via php? – user5313398 Dec 07 '16 at 05:30
Thank you cause I am very new to this and I am marking it yours answer – user5313398 Dec 07 '16 at 05:33

score 1 · Answer 2 · answered Dec 07 '16 at 09:36

1

Your problem seems to be solved already, but I would strongly recommend to switch to a more safe hashing algorithm. A single SHA-512 cannot protect your users passwords because it is way too fast (1 Giga SHA-512 per second) and therefore can be brute-forced too easily.

What you need, is hash function with a cost factor, like BCrypt, PBKDF2 or SCrypt. PHPs function password_hash() currently implements BCrypt, a compatible implementation you can get with jBCrypt.

answered Dec 07 '16 at 09:36

martinstoeckli

23,430
6
56
87

@marin so what best do you suggest? IF I change this then all the user password and salt need to be change in the db too? What best function do you suggest? So will I find a compatible function in java for it ? – user5313398 Dec 07 '16 at 17:19
@user5313398 - In your case with a salted SHA-512 I would use BCrypt on your existing hashes, see this [answer](http://stackoverflow.com/a/14402451/575765) for more details. With BCrypt you get another advantage, that you don't need to store the salt separately, just make sure the field is big enough `varchar(255)`. The linked jBcrypt library is a Java implementation and should be compatible with the PHP hashes – martinstoeckli Dec 07 '16 at 20:38
@matin thank you for the link I got another question I have will have 2 parts one is web part using php. Then I have my other part that is mobile both ios(swift 3) and android. So will I have issue with ios later since I have not develop that part I have just started on android now? – user5313398 Dec 09 '16 at 03:40
@user5313398 - I'm pretty sure that you can find an implementation for ios (BCrypt is a well known proven algorithm), but unfortunately i'm not familiar with the apple world, so i cannot recommend any library. – martinstoeckli Dec 09 '16 at 08:23
So are you suggesting to you Brcrpyt I dont quite understand how its salt will be different to sha 512? – user5313398 Dec 11 '16 at 15:48
@user5313398 - BCrypt will add its own salt, but that's not the point, important is, that BCrypt will need more time to calculate the hash. So you either use your old SHA-hashes and wait until the user logs in the next time, then you can calculate a BCrypt-hash from the entered password and replace the SHA-hash in the database. Or you can calculate `password_hash($storedShaHash, PASSWORD_DEFAULT)` for all accounts and store it (you need to keep the old salt then). After the user logs in the next time, replace the double hash with a normal BCrypt-hash. – martinstoeckli Dec 11 '16 at 19:03

Similar sha512 of php for android password login

2 Answers2