dcsimg
Unable to do password validation with a Message Digest...
2 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Cagan_Senturk
Posted On:   Tuesday, July 10, 2001 09:56 AM

I'm using JDK1.3, Weblogic6.0, Oracle8.1.6 I have a user database table where I keep the user login ids and the password message digests. I create the message digests so: MessageDigest md = MessageDigest.getInstance("SHA"); md.update(userPassword.getBytes()); md.digest(); I save the output of the md.digest() method above in the Oracle table using a prepared statement and by calling setBytes(index, byte[]) on it... I have no problems so far... The problem is when I try to authenticate a returning user...I take his/her input, get the corresponding message digest from the user table for that user, generate the digest of user's password input and if    More>>


I'm using JDK1.3, Weblogic6.0, Oracle8.1.6




I have a user database table where I keep the user login ids and the password message digests. I create the message digests so:

			
MessageDigest md = MessageDigest.getInstance("SHA");
md.update(userPassword.getBytes());
md.digest();

I save the output of the
md.digest()
method above in the Oracle table using a prepared statement and by calling
setBytes(index, byte[])
on it...

I have no problems so far...

The problem is when I try to authenticate a returning user...I take his/her input, get the corresponding message digest from the user table for that user, generate the digest of user's password input and if they match I'll authenticate...


I read the message digest from database by using

getBytes()
method of Resultset implementation (Weblogic)...


I use MessageDigest.isEqual() method to see if digests are equal...


The problem is even if the user inputs the correct password, the isEqual() method fails... I am suspecting the problem has something to do with byte-string conversion taking place between the app and Oracle but am not sure...



I would appreciate your help on this.



Thanks,

Cagan    <<Less

Re: Unable to do password validation with a Message Digest...

Posted By:   Anonymous  
Posted On:   Wednesday, August 8, 2001 11:29 PM

I would do this as follows:-

After you have obtained the digest bytes, you can either

  • convert it to hex digits
  • convert it to base 64 strings


    Either of the above approach will give you a string that your database will recognise as text! Easy to diagnose and no byte conversion problem at all.

    Good luck!

  • Re: Unable to do password validation with a Message Digest...

    Posted By:   Scott_Barstow  
    Posted On:   Monday, August 6, 2001 08:19 AM

    I use the following methodology to accomplish what you are trying to do with an MD5 encryption:

    When the user is created, I take the user password as a string, encrypt it, then store it in Oracle encrypted. When the user logs in, I encrypt the password entered and compare it as to the value in the table. If they match, I authenticate the user.

    The query:

    PreparedStatement pst = conn.prepareStatement("select * from user_table where " +
    "username = ? and password = ?", ResultSet.TYPE_SCROLL_INSENSITIVE,
    ResultSet.CONCUR_READ_ONLY);

    pst.setString(1, username.toUpperCase());
    pst.setString(2, User.crypt( password ));
    ResultSet rs = pst.executeQuery();


    The code for user.crypt():

    public static String crypt ( String pw ){

    String password = "password";

    try {
    password = Encryptor.encrypt( new String( pw.trim().toUpperCase() ) );
    } catch ( Exception e ) {
    System.out.println( "no such algorithm" );
    }

    return password.trim().toUpperCase();
    }


    Hope this helps a bit...
    About | Sitemap | Contact