Re: Converting a JAVA SHA1 Encryption Scheme
From: Joel Register (_jregist_at_hotmail.com)
Date: 07/11/03
- Previous message: Guillermo Proano: "Storing encrypted data in a database."
- In reply to: Sébastien Pouliot: "Re: Converting a JAVA SHA1 Encryption Scheme"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Jul 2003 13:31:25 -0700
Sebastien
Thanks for the reply. I also noticed that HMACSHA1 object
but don't see how it is used to reproduce the
functionality of the java code. Could you provide a bit
more detail about how this object is used to apply the
padding characters and store the resulting hash values?
Thanks for your help!
Joel
>-----Original Message-----
>Joel,
>
>>From the 0x36 and 0x5C padding I guess that you're
looking at a HMAC SHA1
>(which seems confirmed by the HMACArrays class in the
source code).
>If so then you're in luck because the .NET framework
includes a HMACSHA1
>class.
>
>Sebastien Pouliot
>Security Architect, Motus Technologies,
http://www.motus.com/
>work: spouliot@motus.com
>home: spouliot@videotron.ca
>
>
>"Joel Register" <_jregist@hotmail.com> wrote in message
>news:0b6d01c34719$ee6f6c60$a001280a@phx.gbl...
>> I'm having a problem understanding how to convert one
>> piece of a Java encryption scheme that uses SHA1. You
can
>> find the full Java code used in this application at
>> http://www.developer.employease.com/ under OpenAPITools
|
>> Single Sign-on. (The relevant class is called
>> TrustedHostToken.java, and it's under
>> sso_sdk_java\src\com\eease\tha.)
>>
>> Basically, this custom scheme does a SHA1 hash of a
secret
>> key, knots this value with a particular byte character
>> (0x36). Then it does a second SHA1 hash of some
additional
>> information (senders username, company, ip address)
along
>> with the result of the first hash and then knots this
with
>> a second byte value (0x5c). Or something like that. I'm
>> trying to reproduce this code in .Net so that I can
>> implement this SSO functionaity on our Intranet.
>>
>> I've never used Java, so I apologize if this is unclear
or
>> inaccurate. Here's the relevant Java code:
>>
**********************************************************
>>
**********************************************************
>> /**
>> * Performs the actual work of computing a digest.
>> *
>> * @param arByKey a byte array containing the secret
key.
>> * @return the String digest in the form of a 40-digit
>> hexadecimal value.
>> */
>> private String createDigest (byte[] arByKey)
>> {
>> byte[] arByDigest;
>> String stText = _stPartnerId + DELIMITER + _stIP +
>> DELIMITER + _stUsername;
>> HMACArrays oArrays = new HMACArrays (arByKey);
>> MessageDigest oDigest;
>>
>> try
>> {
>> oDigest = MessageDigest.getInstance (ALGORITHM);
>>
>> // inner hash
>> oDigest.update (oArrays._arByInner);
>> arByDigest = oDigest.digest (stText.getBytes ());
>>
>> // outer hash
>> oDigest.reset ();
>> oDigest.update (oArrays._arByOuter);
>> arByDigest = oDigest.digest (arByDigest);
>>
>> return Bytes.bytesToHex (arByDigest);
>> }
>> catch (NoSuchAlgorithmException eAlgorithm)
>> {
>> throw new RuntimeException (eAlgorithm.toString
());
>> }
>> }
>>
>> /**
>> * Validates the given digest against this token.
>> *
>> * @param stDigest the String digest to validate
>> * @return boolean indicating whether or not the
digest
>> is valid.
>> */
>> public boolean validateDigest (String stDigest)
>> {
>> return (_stDigest != null && _stDigest.equals
>> (stDigest));
>> }
>>
>> /**
>> * Utility class to compute inner and outer arrays
used
>> for generating
>> * the digest.
>> */
>> private static class HMACArrays
>> {
>> byte[] _arByInner;
>> byte[] _arByOuter;
>>
>> HMACArrays (byte[] arByKey)
>> {
>> int i;
>>
>> _arByInner = new byte[arByKey.length];
>> _arByOuter = new byte[arByKey.length];
>>
>> for (i = 0; i < arByKey.length; i++)
>> {
>> _arByInner[i] = (byte)(arByKey[i] ^ IPAD_BYTE);
>> _arByOuter[i] = (byte)(arByKey[i] ^ OPAD_BYTE);
>> }
>> }
>>
*********************************************************
>>
*********************************************************
>>
>> If anyone can help with this, I'd like to better
>> understand what's happening inside the Try Catch loop,
>> specifically how to reproduce this functionality using
the
>> SHA1Managed class of the Framework (or even if that's
the
>> best option to use).
>>
>> Sorry for the long post. I've never worked with Java and
>> only began looking at the Security classes of the
>> Framework yesterday, so this is all quite new (and
>> awkward) for me.
>>
>> Thanks for any help.
>>
>> Joel
>>
>>
>
>
>.
>
- Previous message: Guillermo Proano: "Storing encrypted data in a database."
- In reply to: Sébastien Pouliot: "Re: Converting a JAVA SHA1 Encryption Scheme"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
