Created
March 9, 2017 18:04
-
-
Save drem-darios/4ca5ba1580a1e3d2eb22790bea342dc7 to your computer and use it in GitHub Desktop.
Salt and Signature Java example. This is an example of how someone can do simple one way encryption so they don't have to store passwords in plaintext files. This is still vulnerable in other ways(such as dictionary attacks) but it better than nothing. To test this code, run 'mvn clean install' then run 'java -cp target/salt-signature-security-j…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | |
| <modelVersion>4.0.0</modelVersion> | |
| <groupId>com.drem.security</groupId> | |
| <artifactId>util</artifactId> | |
| <version>0.0.1-SNAPSHOT</version> | |
| <packaging>jar</packaging> | |
| <name>util</name> | |
| <url>http://maven.apache.org</url> | |
| <properties> | |
| <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> | |
| </properties> | |
| <dependencies> | |
| <dependency> | |
| <groupId>junit</groupId> | |
| <artifactId>junit</artifactId> | |
| <version>4.12</version> | |
| <scope>test</scope> | |
| </dependency> | |
| <dependency> | |
| <groupId>org.apache.commons</groupId> | |
| <artifactId>commons-lang3</artifactId> | |
| <version>3.0</version> | |
| </dependency> | |
| </dependencies> | |
| <build> | |
| <finalName>salt-signature-security</finalName> | |
| <plugins> | |
| <!-- any other plugins --> | |
| <plugin> | |
| <artifactId>maven-assembly-plugin</artifactId> | |
| <executions> | |
| <execution> | |
| <phase>package</phase> | |
| <goals> | |
| <goal>single</goal> | |
| </goals> | |
| </execution> | |
| </executions> | |
| <configuration> | |
| <descriptorRefs> | |
| <descriptorRef>jar-with-dependencies</descriptorRef> | |
| </descriptorRefs> | |
| <archive> | |
| <addMavenDescriptor>false</addMavenDescriptor> | |
| </archive> | |
| </configuration> | |
| </plugin> | |
| </plugins> | |
| </build> | |
| </project> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package com.drem.security.util; | |
| import java.io.FileNotFoundException; | |
| import java.io.IOException; | |
| import java.io.InputStream; | |
| import java.io.UnsupportedEncodingException; | |
| import java.security.GeneralSecurityException; | |
| import java.security.SecureRandom; | |
| import java.util.Properties; | |
| import java.util.Random; | |
| import javax.crypto.Mac; | |
| import javax.crypto.spec.SecretKeySpec; | |
| import org.apache.commons.lang3.StringUtils; | |
| import java.util.Base64; | |
| /** | |
| * @author drem | |
| */ | |
| public class SaltSignatureGenerator { | |
| private static final Random RANDOM = new SecureRandom(); | |
| public static void main(String[] args) throws GeneralSecurityException, IOException { | |
| if(args.length <= 1) { | |
| System.out.println("Usage : SaltSignatureGenerator <username> <password>"); | |
| System.out.println("i.e. SaltSignatureGenerator user1 abc123"); | |
| System.exit(1); | |
| } | |
| String salt = getSalt(args[0].toString()); | |
| System.out.println("Salt is :" + salt); | |
| String signature = getSignature(args[0].toString()); | |
| System.out.println("Signature is : " + signature); | |
| verifyUser(salt, signature, args[1].toString()); | |
| } | |
| /** | |
| * This method will generate random salt. | |
| * | |
| * @return | |
| * @throws GeneralSecurityException | |
| * @throws IOException | |
| */ | |
| public static String generateSalt() throws GeneralSecurityException, IOException | |
| { | |
| byte[] salt = new byte[16]; | |
| RANDOM.nextBytes(salt); | |
| return new String(Base64.getEncoder().encode(salt)); | |
| } | |
| /** | |
| * This method will generate random signature on providing salt and secretkey. | |
| * | |
| * @param salt | |
| * @param secretkey | |
| * @return | |
| * @throws GeneralSecurityException | |
| * @throws IOException | |
| */ | |
| public static String generateSignature(String salt, String secretkey) throws GeneralSecurityException, IOException | |
| { | |
| if(StringUtils.isEmpty(salt)) | |
| salt = getPropertyValue("security.properties", "salt"); | |
| if(StringUtils.isEmpty(secretkey)) | |
| secretkey = getPropertyValue("security.properties", "secretkey"); | |
| String signature = generateHmacSHA256Signature(salt, secretkey); | |
| return signature; | |
| } | |
| public static String getSalt(String user) throws IOException { | |
| return getPropertyValue("security.properties", user + ".salt"); | |
| } | |
| public static String getSignature(String user) throws IOException { | |
| return getPropertyValue("security.properties", user + ".signature"); | |
| } | |
| /** | |
| * Util method to get property value from file if value is not provided. | |
| * | |
| * @param propFileName | |
| * @param propertyName | |
| * @return | |
| * @throws IOException | |
| */ | |
| public static String getPropertyValue(String propFileName, String propertyName) throws IOException | |
| { | |
| String propValue = ""; | |
| Properties prop = new Properties(); | |
| InputStream inStream = SaltSignatureGenerator.class.getClassLoader().getResourceAsStream(propFileName); | |
| if(inStream != null) { | |
| prop.load(inStream); | |
| } else { | |
| throw new FileNotFoundException("Property File " + propFileName + "not found in classpath."); | |
| } | |
| propValue = (String) prop.get(propertyName); | |
| return propValue; | |
| } | |
| /** | |
| * Generating signature. | |
| * | |
| * @param salt | |
| * @param secretkey | |
| * @return | |
| * @throws GeneralSecurityException | |
| */ | |
| public static String generateHmacSHA256Signature(String salt, String secretkey) throws GeneralSecurityException { | |
| byte[] hmacData = null; | |
| try { | |
| SecretKeySpec secretKey = new SecretKeySpec(secretkey.getBytes("UTF-8"), "HmacSHA256"); | |
| Mac mac = Mac.getInstance("HmacSHA256"); | |
| mac.init(secretKey); | |
| hmacData = mac.doFinal(salt.getBytes("UTF-8")); | |
| return new String(Base64.getEncoder().encode(hmacData)); | |
| } catch (UnsupportedEncodingException e) { | |
| throw new GeneralSecurityException(e); | |
| } | |
| } | |
| /** | |
| * This method will be used for verify restful call. | |
| * | |
| * @param salt | |
| * @param signature | |
| * @param key | |
| * @return | |
| * @throws GeneralSecurityException | |
| * @throws IOException | |
| */ | |
| public static boolean verifyUser(String salt, String signature, String password) throws GeneralSecurityException, IOException { | |
| { | |
| boolean verfied = false; | |
| String generatedSignature = generateSignature(salt, password); | |
| verfied = signature.equals(generatedSignature); | |
| System.out.println("Signature are equal :" + verfied); | |
| return verfied; | |
| } | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| user1.salt=vbTFg3txCuCI/82Esuh78g== | |
| user1.signature=QhghgAfkvsI3T9OQahdmyEq+JeH+BbzDOyJlrRGmG0Y= |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment