0

This question might probably be a duplicate. But so far I haven't seen any response that could solve mine issue. I have this piece of Java code doing encryption with SHA-256:

public static String hashIt(String msg, String key) {

    MessageDigest m = null;
    String hashText = null;
    byte[] actualKeyBytes =  TripleDES.hexStringToBytes(key);
    try {
        m = MessageDigest.getInstance("SHA-256");
        m.update(actualKeyBytes, 0, actualKeyBytes.length);
        try {
            m.update(msg.getBytes("UTF-8"), 0, msg.length());
        } catch (UnsupportedEncodingException ex) {

        }
        hashText = TripleDES.bytesToHexString( m.digest() ); //new BigInteger(1, m.digest()).toString(16);

    } catch (NoSuchAlgorithmException ex) {

    }
    return hashText;
}

Using d38a5cd5 as key with "ewo10kalavanda" as the string to hash.

Utils.hashIt("ewo10kalavanda", "d38a5cd5");

I have the following output:

fc87c73012e11de3a57faabe4d852ce89ec3337504531c16

Using the same SHA256 in PHP 

hash_hmac('SHA256', "ewo10kalavanda", "d38a5cd5", $raw=false)

The output is 1839412f79b9e33c2f810650f79f23f46173792f885dd8d8c9633675e28e792f which does not match that of Java.

Is there anything done wrong here? Been on this for some hours now.

Improve this question
4
  • line m.update(msg.getBytes("UTF-8"), 0, msg.length()); buggy. Commented May 19, 2017 at 13:30
  • @glee8e why do you think it is buggy? Commented May 19, 2017 at 13:34
  • Plz see my anwser below. Commented May 19, 2017 at 13:35
  • It seems you really want a HMAC in both PHP and Java, not a do-it-yourself implementation. See Hash-based message authentication code Commented May 20, 2017 at 16:56

2 Answers 2

Reset to default
1

In your PHP code you used HMAC which is more than just hashing the string obtained by joining key and the message body. I found a diagram from Wikipedia which explains how HMAC-SHA1 works:

HMAC-SHA1 diagram

I did manage to get a working version in Java:

public static String hashIt(String msg, String key) {
    try {
        byte[] keyBytes = key.getBytes("UTF-8");
        SecretKeySpec spec = new SecretKeySpec(keyBytes, HMAC_SHA256);
        Mac mac = Mac.getInstance(HMAC_SHA256);
        mac.init(spec);
        return TripleDES.bytesToHexString(mac.doFinal(msg.getBytes("UTF-8")));
    } catch (UnsupportedEncodingException | NoSuchAlgorithmException | InvalidKeyException e) {
        throw new RuntimeException(e);
    }
}

I still think there is something wrong with msg.length(). If you ever hash a two byte character it will be buggy. I tested it and it's different. For example try use your previous code to hash 111111錒(message) and 1111(key) and then use my previously suggested code to hash the same string. Your code output 81e385eb2bf89f7494a4b0927a4f5d4105450eb4a21152d53d52ddb9c08ed0e1 and my code output ef7f82833c865ef4d6089ba7dfbec8ad4f05b58e3fd77ca242c5fd7e7757d8b4.

That chinese character is intended. It shows how the OP's code fails with two byte characters. DO NOT REMOVE.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Your answer is same as what I did here byte[] actualKeyBytes = TripleDES.hexStringToBytes(key);
0

The other answer from glee8e should have got you a long way. But just to be sure, here is how to generate the output:

$k = hex2bin("d38a5cd5");
$m = "ewo10kalavanda";
$in = $k.$m;
$h = hash ("SHA256", $in);
print $h;

It would be a bit better to first encode to UTF-8, but I haven't got the right module installed:

$m = mb_convert_encoding("ewo10kalavanda", "UTF-8");

for the test sting this of course doesn't matter as long as the platform encoding is compatible with UTF-8 for the input characters.

That's however half of the answer though: there is a reason why HMAC was defined, and the major reason is that hash functions on their own are not that secure for keyed hash or Message Authentication Code (MAC). So the use of HMAC as in the PHP function should be preferred.

Improve this answer

1 Comment

Waoh!! That worked perfectly and got the same hashed value output with Java. Thanks a lot. Two major points: The Hex2bin of the key and concatenation of key and password. Also using HASH instead of HASH_MAC . Thanks again.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.