MD5Digest / missing method getEncodedState()

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

MD5Digest / missing method getEncodedState()

Jörg Weule
Hi,

I would like to implement the authorization/login method CRAM-MD5.
Avoiding to store the encrypted password of the user at the database,
I would like to have getEncodedState() at MD5Digest and another
appropriate Constructor to reconstruct the State. Unfortunately this
method is implemented only at SHA1Digest. It should be very easy, to
implement these methods for MD5 and others as well?

Is there a way to implement CRAM-MD5 avoiding storage of the password at
the database with bouncycastle 1.54 ?

Thanks in advance.

Jörg

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: MD5Digest / missing method getEncodedState()

David Hook

I've added support for EncodableDigest to MD5Digest. The code change
should appear on the github mirror shortly, it'll be a few more days
before the beta gets updated with it, probably first thing next week.

Regards,

David

On 28/03/16 02:57, Jörg Weule wrote:

> Hi,
>
> I would like to implement the authorization/login method CRAM-MD5.
> Avoiding to store the encrypted password of the user at the database,
> I would like to have getEncodedState() at MD5Digest and another
> appropriate Constructor to reconstruct the State. Unfortunately this
> method is implemented only at SHA1Digest. It should be very easy, to
> implement these methods for MD5 and others as well?
>
> Is there a way to implement CRAM-MD5 avoiding storage of the password at
> the database with bouncycastle 1.54 ?
>
> Thanks in advance.
>
> Jörg
>
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: MD5Digest / missing method getEncodedState()

Eckenfels. Bernd
A non-allocating state retrieval would also help for iterated HMAC usage (pbkdf and friends). Currently you have to use clone() to preserve state. When one can pass in a buffer to be reused this could be improved. Is that the same thing?
________________________________________
From: David Hook [[hidden email]]
Sent: Tuesday, March 29, 2016 11:21
To: [hidden email]
Subject: Re: [dev-crypto] MD5Digest / missing method getEncodedState()

I've added support for EncodableDigest to MD5Digest. The code change
should appear on the github mirror shortly, it'll be a few more days
before the beta gets updated with it, probably first thing next week.

Regards,

David

On 28/03/16 02:57, Jörg Weule wrote:

> Hi,
>
> I would like to implement the authorization/login method CRAM-MD5.
> Avoiding to store the encrypted password of the user at the database,
> I would like to have getEncodedState() at MD5Digest and another
> appropriate Constructor to reconstruct the State. Unfortunately this
> method is implemented only at SHA1Digest. It should be very easy, to
> implement these methods for MD5 and others as well?
>
> Is there a way to implement CRAM-MD5 avoiding storage of the password at
> the database with bouncycastle 1.54 ?
>
> Thanks in advance.
>
> Jörg
>
>










SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: MD5Digest / missing method getEncodedState()

David Hook

It should be the same thing... kind of... I'll look into it, I don't
think it would be a lot of work to add.

Regards,

David

On 29/03/16 20:44, Eckenfels. Bernd wrote:

> A non-allocating state retrieval would also help for iterated HMAC usage (pbkdf and friends). Currently you have to use clone() to preserve state. When one can pass in a buffer to be reused this could be improved. Is that the same thing?
> ________________________________________
> From: David Hook [[hidden email]]
> Sent: Tuesday, March 29, 2016 11:21
> To: [hidden email]
> Subject: Re: [dev-crypto] MD5Digest / missing method getEncodedState()
>
> I've added support for EncodableDigest to MD5Digest. The code change
> should appear on the github mirror shortly, it'll be a few more days
> before the beta gets updated with it, probably first thing next week.
>
> Regards,
>
> David
>
> On 28/03/16 02:57, Jörg Weule wrote:
>> Hi,
>>
>> I would like to implement the authorization/login method CRAM-MD5.
>> Avoiding to store the encrypted password of the user at the database,
>> I would like to have getEncodedState() at MD5Digest and another
>> appropriate Constructor to reconstruct the State. Unfortunately this
>> method is implemented only at SHA1Digest. It should be very easy, to
>> implement these methods for MD5 and others as well?
>>
>> Is there a way to implement CRAM-MD5 avoiding storage of the password at
>> the database with bouncycastle 1.54 ?
>>
>> Thanks in advance.
>>
>> Jörg
>>
>>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
>
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: MD5Digest / missing method getEncodedState()

Jörg Weule
Even the iteration for SCRAM-SHA1 would be fine ;-)

Tanks for the great work, with regards

Jörg

On 30.03.2016 19:20, David Hook wrote:

>
> It should be the same thing... kind of... I'll look into it, I don't
> think it would be a lot of work to add.
>
> Regards,
>
> David
>
> On 29/03/16 20:44, Eckenfels. Bernd wrote:
>> A non-allocating state retrieval would also help for iterated HMAC usage (pbkdf and friends). Currently you have to use clone() to preserve state. When one can pass in a buffer to be reused this could be improved. Is that the same thing?
>> ________________________________________
>> From: David Hook [[hidden email]]
>> Sent: Tuesday, March 29, 2016 11:21
>> To: [hidden email]
>> Subject: Re: [dev-crypto] MD5Digest / missing method getEncodedState()
>>
>> I've added support for EncodableDigest to MD5Digest. The code change
>> should appear on the github mirror shortly, it'll be a few more days
>> before the beta gets updated with it, probably first thing next week.
>>
>> Regards,
>>
>> David
>>
>> On 28/03/16 02:57, Jörg Weule wrote:
>>> Hi,
>>>
>>> I would like to implement the authorization/login method CRAM-MD5.
>>> Avoiding to store the encrypted password of the user at the database,
>>> I would like to have getEncodedState() at MD5Digest and another
>>> appropriate Constructor to reconstruct the State. Unfortunately this
>>> method is implemented only at SHA1Digest. It should be very easy, to
>>> implement these methods for MD5 and others as well?
>>>
>>> Is there a way to implement CRAM-MD5 avoiding storage of the password at
>>> the database with bouncycastle 1.54 ?
>>>
>>> Thanks in advance.
>>>
>>> Jörg
>>>
>>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
>> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
>> Edisonstr. 1
>> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
>> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
>> Fax: 07252 / 96 - 2222
>> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
>> e-mail: [hidden email]               HRB 240708 Mannheim
>>
>>
>> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>>
>>
>> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>>
>>
>>
>
>
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ... / ByteUtils

Jörg Weule
Dear David,

at the beginning of the year, we discussed the internal status of a hash
algorithm. Now I found another method, that should have a quick enhancement:

At ByteUtils the method toHexString has not O(n) since there are n
String objects to be deleted by the garbage collector and this has not
O(n), as I guess.

   /**
     * Convert a byte array to the corresponding hexstring.
     *
     * @param input the byte array to be converted
     * @return the corresponding hexstring
     */
    public static String toHexString(byte[] input)
    {
        String result = "";
        for (int i = 0; i < input.length; i++)
        {
            result += HEX_CHARS[(input[i] >>> 4) & 0x0f];
            result += HEX_CHARS[(input[i]) & 0x0f];
        }
        return result;
    }

Should be coded as follows:

        char[] result = new char[input.length * 2];
        for (int i = 0; i < input.length; i++)
        {
            result[i*2]   = HEX_CHARS[ (input[i] >>> 4) & 0xf ];
            result[i*2+1] = HEX_CHARS[  input[i]        & 0xf ];
        }
        return new String(result);

There are two other methods of „toHexString” which should be improved as
well.

With kind regards.

Jörg



On 31.03.2016 22:55, Jörg Weule wrote:

> Even the iteration for SCRAM-SHA1 would be fine ;-)
>
> Tanks for the great work, with regards
>
> Jörg
>
> On 30.03.2016 19:20, David Hook wrote:
>>
>> It should be the same thing... kind of... I'll look into it, I don't
>> think it would be a lot of work to add.
>>
>> Regards,
>>
>> David
>>
>> On 29/03/16 20:44, Eckenfels. Bernd wrote:
>>> A non-allocating state retrieval would also help for iterated HMAC usage (pbkdf and friends). Currently you have to use clone() to preserve state. When one can pass in a buffer to be reused this could be improved. Is that the same thing?
>>> ________________________________________
>>> From: David Hook [[hidden email]]
>>> Sent: Tuesday, March 29, 2016 11:21
>>> To: [hidden email]
>>> Subject: Re: [dev-crypto] MD5Digest / missing method getEncodedState()
>>>
>>> I've added support for EncodableDigest to MD5Digest. The code change
>>> should appear on the github mirror shortly, it'll be a few more days
>>> before the beta gets updated with it, probably first thing next week.
>>>
>>> Regards,
>>>
>>> David
>>>
>>> On 28/03/16 02:57, Jörg Weule wrote:
>>>> Hi,
>>>>
>>>> I would like to implement the authorization/login method CRAM-MD5.
>>>> Avoiding to store the encrypted password of the user at the database,
>>>> I would like to have getEncodedState() at MD5Digest and another
>>>> appropriate Constructor to reconstruct the State. Unfortunately this
>>>> method is implemented only at SHA1Digest. It should be very easy, to
>>>> implement these methods for MD5 and others as well?
>>>>
>>>> Is there a way to implement CRAM-MD5 avoiding storage of the password at
>>>> the database with bouncycastle 1.54 ?
>>>>
>>>> Thanks in advance.
>>>>
>>>> Jörg
>>>>
>>>>


Loading...