How-to simply and securely use hash methods in your java projects.
by Emeric Nasi
License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
In this article I will present how-to simply use hash methods in your Java projects. I will also follow the Java coding security recommendation from the Java-sec project developed by French consortium (SILICOM-AMOSSYS-INRIA) for ANSSI. You can find the entire document here (in French).
At the end of this article you should be able to build your HashService class. By hash service I mean a object between JCE and the developers, easy to use and that you can integrate into your local security API.
I. Using the JCE
I.1 The Java Cryptography Extension
II.2 Using JCE objects
All classes in the JCE are used the same way. You call a class instance using the getInstance() method. The classes does not directly describe the algorithm used; instead, when you call an instance of a JCE object, you must specify the algorithm and the provider of the service you want to use.
In our case, the object we need to implement hash services is "MessageDigest" from the package java.security.
MessageDigest messageDigest = MessageDigest.getInstance("SHA-512", "SUN");
In this example, we are going the use the SHA 512 hash algorithm provided by SUN.
I.3 Why should we build our own hash service?
The reason is that we do not want every developer to implement JCE access each time he needs to hash a message. yes, but why?
First because having a separate service (inside a security API for example) allows you to normalize your code and to be sure your use the same algorithms everywhere. Moreover using separate services can allow you to modify in one time the hash algorithm used by the entire app, without having to modify any Java code (by setting a .properties file for example).
There is another reason linked to the security of the application itself :
JCE is shipped with a list of providers of algorithms. That list may differ whether you are using Windows or Linux system. A developer has the possibility to call an object instance without describing the provider, in this case, the default provider will be use. That may be a problem because
as Javasec study pointed app, all JCE providers are not equally secure. For example the SUN pseudo random generator (SHA1-PRNG) is considered to have statistic flaws, and SUN is the default provider on most JCE installs!
II. Creating our hash service
II.1 The HashService.java code
A commented code is the best example :
II.2 The hashservice.properties file content
II.3 Call our service
The output should be something like :
SHA-512 for Hello World: b7f783baed8297f0db917462184ff4f08e69c2....
SHA-1 for Hello World: 7b502c3a1f48c8609ae212cdfb639dee39673f5e
Now you are able to implement hash methods in you Java applications.
This simple example can be improved and reused for other JCE features, like random numbers and encryption.