Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / July 2004

Tip: Looking for answers? Try searching our database.

java Mac behavior between jdk 1.3 and 1.4

Thread view: 
Enable EMail AlertsStart New Thread
Nash Rack - 24 Jul 2004 18:40 GMT
This small program prints same output everytime I run it using jdk 1.3
and jce1_2-do.jar.

But when I run it using jdk 1.4, it prints different values everytime
I run it. Has the behavior of Mac class changed in 1.4? How can I make
it print the same value in 1.4 also?

import java.security.Provider;
import java.security.Security;
import java.security.spec.*;
import javax.commerce.util.*;

public class t1 {

public static void main(String[] args) {
       try {
               String ctext = "message";
               Provider sunJce = new
com.sun.crypto.provider.SunJCE();

               Security.addProvider(sunJce);

               javax.crypto.KeyGenerator kg =
javax.crypto.KeyGenerator.getInstance("HmacMD5", sunJce.getName());

               javax.crypto.SecretKey sk = kg.generateKey();

               Mac mac = Mac.getInstance("HmacMD5",
sunJce.getName());

               byte[] b1 = sk.getEncoded();
               mac.init(sk);

               byte[] bmac = mac.doFinal(ctext.getBytes());

               BASE64Encoder benc = new BASE64Encoder();
               System.out.println("string " + benc.encode(bmac));
       } catch (Exception e) {
               System.err.println("excp: " + e.getMessage());
               e.printStackTrace();
       }
}

}
Reply to this Message
Michael Amling - 24 Jul 2004 19:11 GMT
> This small program prints same output everytime I run it using jdk 1.3
> and jce1_2-do.jar.
[quoted text clipped - 22 lines]
>
>                 javax.crypto.SecretKey sk = kg.generateKey();

  Does this generate a fresh, random, secret key? If so, how did you
get the same output twice with Java 1.3?

>                 Mac mac = Mac.getInstance("HmacMD5",
> sunJce.getName());
>
>                 byte[] b1 = sk.getEncoded();

  Is b1 the 128-bit HMAC-MD5 secret key? Is it ever the same twice?

>                 mac.init(sk);
>
[quoted text clipped - 9 lines]
>
> }

--Mike Amling
Reply to this Message
Nash Rack - 25 Jul 2004 05:05 GMT
> Does this generate a fresh, random, secret key? If so, how did you
> get the same output twice with Java 1.3?

I'm not an expert in these Classes but it does print the same output
everytime with jdk 1.3. In fact, this code is being used to generate
hashed password for our application users and the users are able to
login successfully everytime. Now that we're upgrading to 1.4, this
issue has come up. No user is able to login successfully. Is HmacMD5
even the correct thing to use to generate hashed passwords for users?

> Does this generate a fresh, random, secret key? If so, how did you
> get the same output twice with Java 1.3?

I added some debugging messages for testing with 1.3 and found that it
generates different key everytime and still the output from
mac.doFinal is same everytime.

Thanks,
Nash.
Reply to this Message
Chris - 25 Jul 2004 17:24 GMT
>> Does this generate a fresh, random, secret key? If so, how did you
>> get the same output twice with Java 1.3?
[quoted text clipped - 16 lines]
> Thanks,
> Nash.

Hi,
That sounds like a serious bug in 1.3. With different keys, the output
of the Mac *should* be different. If you are simply trying to use
hashed passwords to avoid storing the passwords in plaintext, use
java.security.MessageDigest, with algorithm, say, "SHA-1".
MessageDigests don't use keys, so they'll return the same hash value
each time. If you were to use a Mac, you'd need to store the key
somewhere, as well as the output, so that you could use the same key
later when Mac-ing the password the user typed in.

Chris
Reply to this Message
Michael Amling - 25 Jul 2004 20:13 GMT
>>Does this generate a fresh, random, secret key? If so, how did you
>>get the same output twice with Java 1.3?
[quoted text clipped - 5 lines]
> issue has come up. No user is able to login successfully. Is HmacMD5
> even the correct thing to use to generate hashed passwords for users?

  You're much better off using SRP, certainly if this login is
occurring across an unencrypted channel. See
http://srp.stanford.edu/design.html. Also, SRP only needs a hash, such
as java.security.MessageDigest("MD5"), and BigInteger, not the JCE or a
JCE provider.

>>Does this generate a fresh, random, secret key? If so, how did you
>>get the same output twice with Java 1.3?
>
> I added some debugging messages for testing with 1.3 and found that it
> generates different key everytime and still the output from
> mac.doFinal is same everytime.

  For a correct implementation of HMAC (or any other MAC), the output
would vary with the secret key.

--Mike Amling
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.