i have tried several links from stackoverflow to get HmacSHA256 with key to work with java, but i always get
func check(body: String) -> String { let hash = body.hmac(HMACAlgorithm.sha256, key: Router.sigKey) print("SIG: " + Router.sigKey) print("result of hash. \(hash)") return hash}This function returns hash with key from given String. Key was: 0393e944ee8108bb66fc9fa4f99f9c862481e9e0519e18232ba61b0767eee8c6
String was: example
Result is: 27effb76c97022497e25d3a5d7e823462f212a82d9ebba35f179071568b0c335
When i use this website to check if my SHA256 is good with the same key, it returns same answer, so i know my code in swift is good. But when i try to do it in java, here is the source code.
public static String HMAC_SHA(){ try { String secret = "0393e944ee8108bb66fc9fa4f99f9c862481e9e0519e18232ba61b0767eee8c6"; String message = "example"; Mac sha256_HMAC = Mac.getInstance("HmacSHA256"); SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), "HmacSHA256"); sha256_HMAC.init(secret_key); String hash = android.util.Base64.encodeToString(sha256_HMAC.doFinal(message.getBytes()), Base64.URL_SAFE); return new String(Hex.encodeHex(hash.getBytes())); } catch (Exception e){ e.printStackTrace(); } return null;}It returns this: 4a2d5f3764736c77496b6c2d4a644f6c312d676a526938684b6f4c5a36376f3138586b4846576977777a553d0a
Which is not even similar to the swift output. How can i achieve the same result with java from the swift code above, it would be helpful a lot!
This question already has an answer here:
I'm testing the speed of 3 hash functions in Java (Blake2b-256, SHA1, and SHA-256) and I'm getting some results that I'm curious about.
AFAIK, Java does not have a built in Blake2b implementation, so I'm using BouncyCastle, and when testing the BouncyCastle SHA-256 and SHA1 implementations against the Java ones, the results are 4-6 times slower (approximately).Is there any obvious explanation for this/ways to improve the BouncyCastle implementation's speed?
All of the functions were called the same way; I'm initializing all the MessageDigest instances before hashing, and simply running reset() and digest(byte[] in) for each input.
Here are the results I got:
Blake2b-256 took 606287 ns.SHA1-B took 55237 ns.SHA1-C took 10913 ns.trueSHA2-B took 65884 ns.SHA2-C took 15451 ns.trueB denoting BouncyCastle, C being the Java implementation.
EDIT: Note, I am not asking about how to implement a micro-benchmark (mostly because I used that question as a reference before posting this question).
EDIT 2: I'm guessing I simply wasn't using enough repetitions in my benchmark because after increasing it by 50000 I'm getting much better results, but the results are still not what I'd expect - Blake2b should be beating both SHA1 and SHA-256 but instead it's (still) lagging significantly behind, and the BouncyCastle implementations are still lagging behind the Java ones, although not quite as dramatically.
Python noob with very bad english here,
Im using this sha256_crypt module to hash my passwords and verify them. and during debug i saw that this line of code takes too much time.
sha256_crypt.encrypt(passwd)sha256_crypt.verify(passwd,dbpass1)I tought it might be due to debuging. but even when even if im not debuging this line of code takes 2-5 seconds each to be done. is this normal?if so is there any other option for hashing password that doesnt take some much time?
There seems to be a problem with getting deterministic hash values for the POI XLSX format, with MessageDigest SHA-256 implementation, even for empty ByteArray streams. This happens randomly, after several hundreds or even only thousands of iterations.
The relevant code snippets used to reproduce the problem:
// TestNG FileTest:@Test(enabled = true) // indeterminism at random iterations, such as 400 or 1290public void emptyXLSXTest() throws IOException, NoSuchAlgorithmException { final Hasher hasher = new HasherImpl(); boolean differentSHA256Hash = false; for (int i = 0; i < 10000; i++) { final ByteArrayOutputStream excelAdHoc1 = BusinessPlanInMemory.getEmptyExcel("xlsx"); final ByteArrayOutputStream excelAdHoc2 = BusinessPlanInMemory.getEmptyExcel("xlsx"); byte[] expectedByteArray = excelAdHoc1.toByteArray();String expectedSha256 = hasher.sha256(expectedByteArray);byte[] actualByteArray = excelAdHoc2.toByteArray();String actualSha256 = hasher.sha256(actualByteArray);if (!expectedSha256.equals(actualSha256)) { differentSHA256Hash = true; System.out.println("ITERATION: " + i); System.out.println("EXPECTED HASH: " + expectedSha256); System.out.println("ACTUAL HASH: " + actualSha256); break; } } Assert.assertTrue(differentSHA256Hash, "Indeterminism did not occur");}Referenced Hasher and POI code:
// HasherImpl class:public String sha256(final InputStream stream) throws IOException, NoSuchAlgorithmException { final MessageDigest digest = MessageDigest.getInstance("SHA-256"); final byte[] bytesBuffer = new byte[300000]; int bytesRead = -1; while ((bytesRead = stream.read(bytesBuffer)) != -1) { digest.update(bytesBuffer, 0, bytesRead); } final byte[] hashedBytes = digest.digest(); return bytesToHex(hashedBytes);}Tried to eliminate indeterminism due to meta data like creation time, to no avail:
// POI BusinessPlanInMemory helper class:public static ByteArrayOutputStream getEmptyExcel(final String fileextension) throws IOException { Workbook wb; if (fileextension.equals("xls")) { wb = new HSSFWorkbook(); } else { wb = new XSSFWorkbook(); final POIXMLProperties props = ((XSSFWorkbook) wb).getProperties(); final POIXMLProperties.CoreProperties coreProp = props.getCoreProperties(); coreProp.setCreated(""); coreProp.setIdentifier("1"); coreProp.setModified(""); } wb.createSheet(); final ByteArrayOutputStream excelStream = new ByteArrayOutputStream(); wb.write(excelStream); wb.close(); return excelStream;}The HSSF / XLS format seems not to be affected by the problem described.Does anybody have a clue, what could be causing this, if not a bug in POI itself? Basically, the code above refers to https://poi.apache.org/spreadsheet/examples.htmlBusinessPlan example
Thanks for your input!
When using the JavaX HMAC/SHA256 hashing libraries, if I right pad my secret key with non-zero bytes, the hash for the same message is different; as expected.
hmacSHA256digest( "secret".getBytes("UTF-8"), msg) = "244d9c89069406d40803722ec6a793e5e04c55234d9ca03039a7b505cb3f8f00"hmacSHA256digest("secret\1".getBytes("UTF-8"), msg) = "4f94305c91ca9d8dec13ffcff7e455d6f0c49373e1bbc4035da2b500b11063fb" However, if I right-pad the secret key with an arbitrary number of \0 bytes, the hash comes back as the same for different byte arrays like:
So, JavaX HMAC SHA256 is returning the same hash, even though the byte[] array returned from getBytes("UTF-8") for the secret just has a few additional zeros at the end (so it's not a UTF-8 issue):
hmacSHA256digest( "secret".getBytes("UTF-8"), msg) = "244d9c89069406d40803722ec6a793e5e04c55234d9ca03039a7b505cb3f8f00"hmacSHA256digest( "secret\0".getBytes("UTF-8"), msg) = "244d9c89069406d40803722ec6a793e5e04c55234d9ca03039a7b505cb3f8f00"hmacSHA256digest( "secret\0\0".getBytes("UTF-8"), msg) = "244d9c89069406d40803722ec6a793e5e04c55234d9ca03039a7b505cb3f8f00"Calls to other JavaX methods for MD5 and plain SHA256 do not return the same hash when extra \0 s are appended to the secret, so they pass our security test case for hash uniqueness across different secrets. Is the failure of this zero-padded-secrets case with MAC/SHA256 a possible attack vector?
This is the example code:
import javax.crypto.Mac;import javax.crypto.spec.SecretKeySpec;import java.security.InvalidKeyException;import java.security.MessageDigest;import java.security.NoSuchAlgorithmException;import java.util.Arrays;static void testRightZeroPaddedSecretsHaveDifferentHashes() { try { byte[] msg = "msg".getBytes("UTF-8"); // HMAC SHA256 byte[] b3 = hmacSHA256digest(msg, "secret".getBytes("UTF-8")); byte[] b4 = hmacSHA256digest(msg, "secret\0".getBytes("UTF-8")); // Plain SHA256 byte[] b5 = SHA256digest(msg, "secret".getBytes("UTF-8")); byte[] b6 = SHA256digest(msg, "secret\0".getBytes("UTF-8")); boolean same34 = Arrays.equals(b3, b4); boolean same56 = Arrays.equals(b5, b6); System.out.println( "\n" + Arrays.toString(b3) + "\n" + Arrays.toString(b4) + "\nHMAC SHA256 - identical hash results? = " + same34 + "\n" + "\n" + Arrays.toString(b5) + "\n" + Arrays.toString(b6) + "\nPlain SHA256 - identical hash results? = " + same56 ); } catch (Throwable e) { e.printStackTrace(); }}static byte[] hmacSHA256digest(byte[] msg, byte[] secret) { try { SecretKeySpec keySpec = new SecretKeySpec(secret, "HmacSHA256"); Mac mac = Mac.getInstance("HmacSHA256"); mac.init(keySpec); byte[] hmac = mac.doFinal(msg); return hmac; } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (InvalidKeyException e) { e.printStackTrace(); } return null;}static byte[] SHA256digest(byte[] msg, byte[] secret) { try { MessageDigest digest = MessageDigest.getInstance("SHA-256"); digest.update(msg); byte[] hash = digest.digest(secret); return hash; } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } return null;}And sample output:
[-2, 79, -100, 65, -113, 104, 63, 3, 79, 106, -7, 13, 29, -43, -72, 106, -64, 53, 93, -39, 99, 50, -59, -100, -57, 69, -104, -48, 115, 97, 7, -10] [-2, 79, -100, 65, -113, 104, 63, 3, 79, 106, -7, 13, 29, -43, -72, 106, -64, 53, 93, -39, 99, 50, -59, -100, -57, 69, -104, -48, 115, 97, 7, -10] HMAC SHA256 - identical hash results? = true[-88, 92, 89, -29, -65, -48, -127, 51, 125, -120, 78, -38, 25, 57, -91, 91, -50, 111, -33, 40, -3, 0, -95, 89, -50, -88, 39, 118, 101, -56, 91, 126] [-40, 39, 49, -64, 58, 40, 124, 64, 110, -100, 50, 115, -32, 114, -107, 24, -73, -17, -37, 11, 67, -26, -48, -65, 109, -24, 119, 45, 74, -31, -81, 119]Plain SHA256 - identical hash results? = falseSince JavaX HMAC SHA256 failed this zero-padded-secrets test case that passed for the plain SHA256/MD5 algorithms mentioned above, can anyone explain the difference in the behavior and if this can be exploited?
Please note that by viewing our site you agree to our use of cookies (see Pribadi for details). You will only see this message once.