...
Code Block | ||
---|---|---|
| ||
import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; public final class Password { private SecureRandom random = new SecureRandom(); private void setPassword(String pass) throws Exception { byte[] salt = generateSalt(12new byte[12]; random.nextBytes(salt); MessageDigest msgDigest = MessageDigest.getInstance("SHA-256"); // Encode the string and salt byte[] hashVal = msgDigest.digest((pass+salt).getBytes()); saveBytes(salt, "salt.bin"); // Save the hash value to password.bin saveBytes(hashVal,"password.bin"); } boolean checkPassword(String pass) throws Exception { byte[] salt = loadBytes("salt.bin"); MessageDigest msgDigest = MessageDigest.getInstance("SHA-256"); // Encode the string and salt byte[] hashVal1 = msgDigest.digest((pass+salt).getBytes()); // Load the hash value stored in password.bin byte[] hashVal2 = loadBytes("password.bin"); return Arrays.equals(hashVal1, hashVal2); } private byte[] generateSalt(int n) { // Generate a random byte array of length n } } |
Even when an attacker knows that the program stores passwords using SHA-256 and a 12-byte salt, he or she will be unable to retrieve the actual password from password.bin
and salt.bin
.
...