Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / April 2004

Tip: Looking for answers? Try searching our database.

how to get md5hash ??

Thread view: 
Enable EMail AlertsStart New Thread
karen - 20 Apr 2004 18:18 GMT
hello,
i am experienced using java, but never had to look at the security
package before.  i am trying to implement an online credit card
processing interface, which requires that i send a "fingerprint" with
my request.  it says the fingerprint should be an md-5 hash of x, y,
and z values.  it offers code examples for asp, perl, and php, all of
which have something along the lines of

fingerprint = hashFunction(dataToEncrypt, key);

what is the java function comparable to this?  i looked at
MessageDigest as well as Signature, but i don't really understand how
they work, and none have any sorts of functions that take a piece of
data and a key as parameters.  am i totally barking up the wrong tree?

thanks in advance,
-k
Reply to this Message
Roedy Green - 21 Apr 2004 00:37 GMT
>what is the java function comparable to this?  i looked at
>MessageDigest as well as Signature, but i don't really understand how
>they work,

see http://mindprod.com/jgloss/digest.html

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
Reply to this Message
Michael Amling - 21 Apr 2004 18:36 GMT
> hello,
> i am experienced using java, but never had to look at the security
[quoted text clipped - 5 lines]
>
> fingerprint = hashFunction(dataToEncrypt, key);

  This is strange, because message digests do not have keys.

> what is the java function comparable to this?  i looked at
> MessageDigest as well as Signature, but i don't really understand how
> they work, and none have any sorts of functions that take a piece of
> data and a key as parameters.  am i totally barking up the wrong tree?

  You need something like this:

import java.security.MessageDigest;

MessageDigest mesdig;
try {
   mesdig=MessageDigest.getInstance("MD5");
} catch (NoSuchAlgorithmException a) {
   System.err.println("No MD5: "+a);
   return;
}

// mesdig is now a fresh MD5 instance, ready for data.
mesdig.update((byte)'a');
mesdig.update((byte)'b');
mesdig.update((byte)'c');
mesdig.update((byte)'\n');

// That's all the data. Now let it calculate the hash.
byte[] result=mesdig.digest();

// Print the result in hex.
for (int jj=0; jj<result.length; ++jj) {
   System.out.print("0123456789ABCDEF".charAt((result[jj]>>4) & 0x0F));
   System.out.print("0123456789ABCDEF".charAt(result[jj] & 0x0F));
}
System.out.println();

  This prints out 0BEE89B07A248E27C83FC3D5951213C1, which agrees with
the output of the Linux md5sum command:
   [maa@orion maa]$ echo abc|md5sum
   0bee89b07a248e27c83fc3d5951213c1  -

--Mike Amling
Reply to this Message
Michel Gallant - 21 Apr 2004 20:15 GMT
Here is the updated SHA1/MD5 hash applet; updated to include
display of the hash as both  hex and b64:
  http://www.jensign.com/JavaScience/www/messagedigestj2

- Mitch Gallant

> > hello,
> > i am experienced using java, but never had to look at the security
[quoted text clipped - 47 lines]
>
> --Mike Amling
Reply to this Message
Michael Amling - 22 Apr 2004 14:39 GMT
> Here is the updated SHA1/MD5 hash applet; updated to include
> display of the hash as both  hex and b64:
>    http://www.jensign.com/JavaScience/www/messagedigestj2

  On my system, that URL says "Click here after installing the plugin"
and pops up a window on the Sun website, which says

Page Not Found
We are sorry, the page you have requested was not found on our system.
Based upon the url that you requested, we would like to recommend pages
that match your requested url. If you prefer, you may navigate through
our site or use our search for your page.

If you are certain that this URL is valid, please send us feedback about
the broken link.
Your URL:
http://java.sun.com/products/plugin/1.4/plugin-install.html?application/x-java-a
pplet;version=1.4

<<

  I presume that the cited "Your URL" is from some version of
JavaPlugin on your server, but if the "Your URL" is something that you
coded, it may need to be updated.

--Mike Amling
Reply to this Message
Michel Gallant - 22 Apr 2004 20:26 GMT
Thanks Michael. I have been going through updating some of the
JavaPlugin signatures so I am sure there are a lot more of these problems
lurking ...
btw, what versions of JavaPlugin did you have when you hit that page?
\- Mitch

> > Here is the updated SHA1/MD5 hash applet; updated to include
> > display of the hash as both  hex and b64:
[quoted text clipped - 21 lines]
>
> --Mike Amling
Reply to this Message
Michael Amling - 23 Apr 2004 04:07 GMT
> Thanks Michael. I have been going through updating some of the
> JavaPlugin signatures so I am sure there are a lot more of these problems
> lurking ...
> btw, what versions of JavaPlugin did you have when you hit that page?
> \- Mitch

  I don't think I have any version of JavaPlugin, which I presume is
the reason I got a blank box saying "Click here after installing the
plugin".

--Mike Amling
Reply to this Message
Pat Farrell - 22 Apr 2004 04:54 GMT
>> fingerprint = hashFunction(dataToEncrypt, key);
>   This is strange, because message digests do not have keys.

They are clearly trying to do some sort of HMAC,
hashed message authentication code, using MD5.
No modern software should do this, and
the HMAC standards say to use

 hash(   secret + data + secret )

Pat   http://www.pfarrell.com/prc/
Reply to this Message
JK - 22 Apr 2004 09:56 GMT
AFAIK, HMAC defines

  hash(outer_secret + hash(data + inner_secret).

Karen: Try using javax.crypto.Mac. For more documentation, see
http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html#Mac

JK.

>>>fingerprint = hashFunction(dataToEncrypt, key);
>>
[quoted text clipped - 8 lines]
>
> Pat   http://www.pfarrell.com/prc/
Reply to this Message
Michael Amling - 22 Apr 2004 14:48 GMT
>>>fingerprint = hashFunction(dataToEncrypt, key);
>>
[quoted text clipped - 6 lines]
>
>   hash(   secret + data + secret )

  HMAC is hash(secret XOR outerpad, hash(secret XOR innerpad, data)),
where comma denotes concatenation. hash(secret+data+secret) may be some
kind of MAC, but it's not HMAC.

  See RFC 2104, which is available, among other places, at
ftp://ftp.rfc-editor.org/in-notes/rfc2104.txt. The original HMAC and
NMAC paper, available at
http://www.cse.ucsd.edu/users/mihir/papers/hmac.html, also has
background and motivations.

--Mike Amling
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.