Is hashing a password twice before storage any more or less secure than just hashing it once? What I’m talking about is doing this: $hashed_password = hash(hash($plaintext_password)); instead of just this: $hashed_password = hash($plaintext_password); If it is less secure, can you provide a good explanation (or a link to one)? Also, does the hash function … Read more
License keys are the defacto-standard as an anti-piracy measure. To be honest, this strikes me as (in)Security Through Obscurity, although I really have no idea how license keys are generated. What is a good (secure) example of license key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so, … Read more
I need to implement 256 bit AES encryption, but all the examples I have found online use a “KeyGenerator” to generate a 256 bit key, but I would like to use my own passkey. How can I create my own key? I have tried padding it out to 256 bits, but then I get an … Read more
I see a lot of confusion between hashes and encryption algorithms and I would like to hear some more expert advice about: When to use hashes vs encryptions What makes a hash or encryption algorithm different (from a theoretical/mathematical level) i.e. what makes hashes irreversible (without aid of a rainbow tree) Here are some similar … Read more
Every now and then I hear the advice “Use bcrypt for storing passwords in PHP, bcrypt rules”. But what is bcrypt? PHP doesn’t offer any such functions, Wikipedia babbles about a file-encryption utility and Web searches just reveal a few implementations of Blowfish in different languages. Now Blowfish is also available in PHP via mcrypt, … Read more
SHA-256 is a cryptographic (one-way) hash function, so there is no direct way to decode it. The entire purpose of a cryptographic hash function is that you can’t undo it. One thing you can do is a brute-force strategy, where you guess what was hashed, then hash it with the same function and see if … Read more
If you try to decrypt PKCS5-padded data with the wrong key, and then unpad it (which is done by the Cipher class automatically), you most likely will get the BadPaddingException (with probably of slightly less than 255/256, around 99.61%), because the padding has a special structure which is validated during unpad and very few keys … Read more
Once I have a list of providers, as described in JB Nizet’s post, I still don’t have a list of algorithms. I found that each Provider functions as a Properties object, and the Properties encode the algorithm names. I’m not entirely clear on if this is the correct way to look for them or not, … Read more
A simple way of doing this is to use Password Based Encryption in Java. This allows you to encrypt and decrypt a text by using a password. This basically means initializing a javax.crypto.Cipher with algorithm “AES/CBC/PKCS5Padding” and getting a key from javax.crypto.SecretKeyFactory with the “PBKDF2WithHmacSHA512” algorithm. Here is a code example (updated to replace the less secure MD5-based variant): import java.io.IOException; import java.io.UnsupportedEncodingException; … Read more
That my friend is an array of bytes. In JNI, [B is used to describe an array ([) of bytes (B). An array of ints is [I etc. You can get a bit more information on field descriptors here:JNI Types and Data Structures (Table 3-2 should be what you are looking for).
