Java开发网 Java开发网
注册 | 登录 | 帮助 | 搜索 | 排行榜 | 发帖统计  

您没有登录

» Java开发网 » Java Security  

按打印兼容模式打印这个话题 打印话题    把这个话题寄给朋友 寄给朋友    该主题的所有更新都将Email到你的邮箱 订阅主题
flat modethreaded modego to previous topicgo to next topicgo to back
作者 我想把用户的密码加密后存入数据库中,怎么实现
bvw



发贴: 0
积分: 0
于 2003-01-08 16:44 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
我只想把用户的登录密码加密后存入数据库,然后在登录时用同样的方法加密后比较,怎么实现,用什么方法。

例如:
我有一个加密函数
String Crypto(String s)
{
return cryptoMoon;
}
输入密码为“password”,返回值是"A0125AED8ABC888745DBBACC67EAF4301"
在下次登录时,输入密码"password",用同样的方法输出"A0125AED8ABC888745DBBACC67EAF4301"
然后和数据库中的数据比较,如果相同就通过,否则就是非法用户。

这在Visual Studio .Net 中很好实现,我不知道在Java中怎么实现,请高手指点。
多谢


作者 问题在哪里呢? [Re:bvw]
menzy



版主


发贴: 754
积分: 113
于 2003-01-08 17:04 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
你这样做有什么问题么?我看不出来。
如果直接不行的话,可以按用户名查询加密的口令
然后翻转匹配试试看。


作者 Re:我想把用户的密码加密后存入数据库中,怎么实现 [Re:bvw]
bvw



发贴: 0
积分: 0
于 2003-01-08 17:11 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
我想请问的是这个加密函数Crypto()怎么写


作者 Re:我想把用户的密码加密后存入数据库中,怎么实现 [Re:bvw]
menzy



版主


发贴: 754
积分: 113
于 2003-01-09 08:11 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
别人的东西,给你看看

BeanTools.java.txt (3.64k)


作者 Re:我想把用户的密码加密后存入数据库中,怎么实现 [Re:menzy]
bvw



发贴: 0
积分: 0
于 2003-01-09 10:17 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
menzy wrote:
别人的东西,给你看看


多谢,java里有没有一个简单的函数来实现,我不要解密,只需要加密,
就是把用户注册时的密码加密后存入数据库,然后下次登录时再把密码用同样的方法加密后也数据库中的比较,这样就只有用户本人知道密码,即使系统管理员也不能知道别人的密码。


作者 aaaaaa [Re:bvw]
bvw



发贴: 0
积分: 0
于 2003-01-09 10:20 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
在Visual studio .net中这是非常简单的一件事情,只有如下的一行代码就搞定了:
/// <summary>
/// 注册密码加密
/// </summary>
/// <param name="pwd">待加密字符串</param>
/// <param name="pwdFormate">加密方式"md5"或"sha1"</param>
/// <returns></returns>
///
public static string EncryptPassword(string pwd, string pwdFormate)
{
if(pwdFormate == "md5")
{
return System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(pwd,"md5");
}
else
{
return null;
}
}
返回的是一个32字符的串:11D7F10830A3CC6C643DE677962D0F71
输入:bvwm,返回的是 :D7224DF37CEFB4BD5C27044E1501D7C2
可以看到返回的都是一个32字节的串
希望在Java里也能这样实现


作者 Also check javadoc for more info [Re:bvw]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2003-01-09 13:00 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list 

/**
 * This is the one-way hash using SHA1. See javadoc on the class to get
 * more methods.
 *
 * This also uses two internal classes from SUN for base 64 encoding. There is
 * another lib from HP too, but they are not officially in java lib and may not
 * be compatible in the future, use in your own risk.
 */
import java.security.*;

import sun.misc.BASE64Encoder;
import sun.misc.BASE64Decoder;

public class MessageDigestTesting
{
    /**
     * This method uses SHA1 to hash the input string and then output the base
     * 64 encoded string of the hashed string.
     * @param dataToHash the string to be hashed
     * @return the base 64 hashed string or null if SHA1 is not available.
     */
    public static String hashSHA1String(String dataToHash)
    {
        String tmp = null;

        try
        {
            //One-way hash
            MessageDigest md = MessageDigest.getInstance("SHA1");
            byte[] byteTmpe = md.digest(dataToHash.getBytes());

            //base 64 encoding, using sun's internal lib
            BASE64Encoder b64encoder = new BASE64Encoder();
            tmp = b64encoder.encode(byteTmpe);
        }
        catch (java.security.NoSuchAlgorithmException e)
        {
            //silence and return null
        }
        
        return tmp;
    }

    public static void main(String[] args)
    {
        String a = "abcdefg";
        String b = "abcdefghijk";
        String c = "abcdefg";

        String aa = hashSHA1String(a);
        String bb = hashSHA1String(b);
        String cc = hashSHA1String(c);

        System.out.println("aa==" + aa);
        System.out.println("bb==" + bb);
        System.out.println("cc==" + cc);
        System.out.println("check a==c: " + aa.equals(cc));
    }
}


Also you need some kind of "salt" too, check sun's website(do a search on password encryption). This is my testing code, I can't post production code and so you need to a little bit more work on salt.

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 Re:我想把用户的密码加密后存入数据库中,怎么实现 [Re:bvw]
bvw



发贴: 0
积分: 0
于 2003-01-09 16:20 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
salt?
包歉,我的英语不太好,不明白是什么意思?
非常感谢你的帮助。


作者 Re:我想把用户的密码加密后存入数据库中,怎么实现 [Re:bvw]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2003-01-10 03:08 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list 

/**
  * This is the one-way hash using SHA1. See javadoc on the class to get
  * more methods.
  * This also uses two internal classes from SUN for base 64 encoding. There is
  * another lib from HP too, but they are not officially in java lib and may not
  * be compatible in the future, use in your own risk.
  */
import java.security.*;
import java.security.NoSuchAlgorithmException;
import sun.misc.BASE64Encoder;
import sun.misc.BASE64Decoder;

public class MessageDigestTesting
{
  /**
    * This method uses SHA1 to hash the input string and then output the base
    * 64 encoded string of the hashed string.
    * @param dataToHash the string to be hashed
    * @return the base 64 hashed string or null if SHA1 is not available.
    */
  public static String hashSHA1String(String dataToHash)
  {
    String tmp = null;
    /*
    * While this hashing prevents an attacker from reading the passwords in
    * clear text, the hashed passwords are still open to a so called dictionary
    * attack. The attacker compiles a database of common passwords and their
    * hash value and looks up the hash values. If he finds a match he knows
    * the corresponding password.
    * Even the designers of UNIX noticed this and added a field called "salt"
    * to the passwd file. The salt is a number that is prepended to the
    * password before the hash function is called.
    * */
    String salt = "abcedefghijklmnopqrstuvwxyz";

    try
    {
      //One-way hash
      MessageDigest md = MessageDigest.getInstance("SHA1");
      md.update(salt.getBytes());
      byte[] byteTmpe = md.digest(dataToHash.getBytes());

      //base 64 encoding, using sun's internal lib
        BASE64Encoder b64encoder = new BASE64Encoder();
        tmp = b64encoder.encode(byteTmpe);
    }
    catch (NoSuchAlgorithmException e)
    {
      //silence and return null
        }

    return tmp;
    }

  /**
   * User cases:
   * 1. In addition to salt, you should use iterations of the hash to protect
   *    against brute force attacks on a single password.
     * 2. Unless you know this, ignore for now.
   *    This one is safe:
   *        com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher
   *    This one is not safe:
   *        PBEWithMD5AndDES
   * @param args
   */
  public static void main(String[] args)
  {
    String a = "abcdefg";
    String b = "abcdefghijk";
    String c = "abcdefg";
    String aa = hashSHA1String(a);
    String bb = hashSHA1String(b);
    String cc = hashSHA1String(c);
    String aaa = hashSHA1String(aa); //hash a twice
    System.out.println("aa==" + aa);
    System.out.println("bb==" + bb);
    System.out.println("cc==" + cc);
    System.out.println("aaa==" + aaa);
    System.out.println("check a==c: " + aa.equals(cc));
    }
}

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 Re:我想把用户的密码加密后存入数据库中,怎么实现 [Re:bvw]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2003-01-10 03:15 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
See the above post.

Salt is something that makes attackers uncomfortable, like sand in eyes, Smile.

Also, the number of iterations of hashing is used to make it harder to crack.

I don't have anything in chinese, so you have to read this english doc from rsa.

Security is something about the weakest link, i.e., if you do 99 things right and do 1 thing wrong, it will blow off on you. In World War 2, German made one simple mistake(used natural order of alphabets, like abcd, instead of random order, like dhkjnwer), then Polish and british could crack
their code to certain degree. So beware.

pkcs5v2-0.pdf (142.3k)

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 floater精神可嘉 [Re:bvw]
menzy



版主


发贴: 754
积分: 113
于 2003-01-10 07:41 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
加分


作者 Re:floater精神可嘉 [Re:menzy]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2003-01-10 08:05 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
menzy wrote:
加分


Hehe..., thanks a lot, menzy.

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 Re:我想把用户的密码加密后存入数据库中,怎么实现 [Re:floater]
snowbug



CJSDN高级会员


发贴: 418
积分: 130
于 2003-01-11 04:41 user profilesend a private message to usersend email to snowbugsearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
floater wrote:
Also, the number of iterations of hashing is used to make it harder to crack.


Can you please explain this a little bit more? Thanks floater.


作者 Re:我想把用户的密码加密后存入数据库中,怎么实现 [Re:snowbug]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2003-01-11 05:12 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
snowbug wrote:
Can you please explain this a little bit more? Thanks floater.

Sorry for the wording, I was kind of rush.

Just hash it several times, like the String aaa in the main() in the above.
For example, get a string A, hash it, get B, then hash it again, get C. So from A to C, the number of iteration is 2. Varying this number would also make the dictionary attack harder since the attacker needs to know how many times you hashed in order to build a dictionary.

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 Re:我想把用户的密码加密后存入数据库中,怎么实现 [Re:floater]
snowbug



CJSDN高级会员


发贴: 418
积分: 130
于 2003-01-11 09:32 user profilesend a private message to usersend email to snowbugsearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
floater wrote:
Sorry for the wording, I was kind of rush.

Just hash it several times, like the String aaa in the main() in the above.
For example, get a string A, hash it, get B, then hash it again, get C. So from A to C, the number of iteration is 2. Varying this number would also make the dictionary attack harder since the attacker needs to know how many times you hashed in order to build a dictionary.


Got it, thanks Smile


作者 Re:我想把用户的密码加密后存入数据库中,怎么实现 [Re:bvw]
TienShih



发贴: 0
积分: 0
于 2003-01-14 16:16 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
其实这不是加密,是用摘要算法如MD5、SHA-1等,将password算出一个摘要值存到数据库中,由于摘要算法是不可逆的,所以无法根据摘要值反推原来的数据。找一段用Java计算摘要的程序就行了。


作者 Re:我想把用户的密码加密后存入数据库中,怎么实现 [Re:bvw]
menzy



版主


发贴: 754
积分: 113
于 2003-01-15 08:46 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
楼上的观点是正确的,的确不能叫加密


作者 Re:我想把用户的密码加密后存入数据库中,怎么实现 [Re:bvw]
njord



发贴: 0
积分: 0
于 2003-01-15 22:08 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
HASH一下就可以了,这样不会暴露原有的密码,只需要比较摘要值。



flat modethreaded modego to previous topicgo to next topicgo to back
  已读帖子
  新的帖子
  被删除的帖子
Jump to the top of page

   Powered by Jute Powerful Forum® Version Jute 1.5.6 Ent
Copyright © 2002-2021 Cjsdn Team. All Righits Reserved. 闽ICP备05005120号-1
客服电话 18559299278    客服信箱 714923@qq.com    客服QQ 714923