ansaurus

Question

[Grails] md5 and salt

Answer 1

+2 A:

Are you wanting to have a salt because you're trying to do password hashing? If so, please consider jBCrypt, a secure, really easy-to-use, password hashing library. You can probably easily hook it in as a Groovy string metamethod. :-P

And if you're not doing password hashing, I'm not sure where a salt would come in; please feel free to elaborate in that case. :-)

Example of how to use HMAC to do keyed hashing (I used HmacMD5 in my example, but you can use HmacSHA1, HmacSHA256, HmacSHA384, or HmacSHA512 also):

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

public byte[] hmacMD5(byte[] key, byte[] data) {
    Mac mac = Mac.getInstance("HmacMD5");
    mac.init(new SecretKeySpec(key, "HmacMD5"));
    mac.update(data);
    return mac.doFinal();
}

I'm sorry that this is in Java and not Groovy, but hopefully it'll be easy enough for you to adapt. :-) Anyway, in this example, your constant value would be the key, and the incoming data would be the data.

If your data is sizeable (unlikely from what you've described), you can call update multiple times, and the hash would work as though the data from those calls were all concatenated together.

Chris Jester-Young 2010-02-03 01:11:36

I updated my question to clarify. Not using this for password hashing.

Robin Jamieson 2010-02-03 02:12:42

@Robin: Based on your question edit, am I to take it that the "salt" here refers to the timestamp you're sending to the client, which you are expecting it to send back verbatim?

Chris Jester-Young 2010-02-03 02:50:40

If so, one way to verify the hash is to use something like HMAC-MD5, and use your timestamp as the HMAC key.

Chris Jester-Young 2010-02-03 02:57:56

no the salt is a constant value. timestamp is what I'm hashing and it will be unique each time. So salting is only necessary to make passwords unique but not for other scenarios?

Robin Jamieson 2010-02-03 03:25:36

@Robin: In that case, using HMAC-MD5 (with your constant as the HMAC key), and hashing the timestamp, is definitely the right way to go. I'll update my answer with a code example (in Java, but easy enough to adapt to Groovy).

Chris Jester-Young 2010-02-03 03:48:05

@Robin: Salt is not needed to make a password hash unique. Salt is used in passwords to make Rainbow table attacks more difficult. http://en.wikipedia.org/wiki/Rainbow_table

Heinrich Filter 2010-02-03 08:48:42

@Robin: Oh, oh! Did I forget to mention, that once you call `doFinal`, the state of the MAC is reset, and you can start hashing your new batch of data---it will automatically use the same key. Very handy, since you have a fixed key---you just need one `Mac` object per thread.

Chris Jester-Young 2010-02-03 22:41:19

Answer 2

A:

Can't you use MessageDigest (Example)? You'll have to cache the original timestamp/hash, or better yet, store the inbound and outbound transmissions in some sort of auditing table.

Droo 2010-02-03 04:43:04

ansaurus

tags:

views:

answers:

[Grails] md5 and salt

related questions