Package org.silverpeas.core.security.authentication.password

Interface PasswordEncryption

  • All Known Implementing Classes:
    UnixDESEncryption, UnixMD5Encryption, UnixSHA512Encryption
    public interface PasswordEncryption
    Encryption of a user password or passphrase by using a cryptographic one-way hash algorithm.

    While the message authentication and the integrity checking requires a hash function that matters in speed and in efficiency (a different digest for inputs altered even a little), the hashing of the passwords or passphrases require robustness and future-proof against strong attacks that take advantage of a hardware more and more powerful and of the password's lifetime.

    Usually, the hash functions used in the encryption of a password is based on a standard and well known cryptographic algorithm: MD5, SHA-1, SHA-256, etc. Unfortunately, these functions don't suit well for encrypting password for the reasons explained above; they suffer of the recognizability and of the speed problems. This is why techniques like the salting (random sequence of bytes which is added to the hash function) and the stretching (iteration of the hash function many times) should be used to address the weakness of these one-way hash functions. (These techniques are usually used by the Unix system in their variations of the above algorithms to encrypt the user passwords.) Another and better solution is to use an adaptive key derivations functions to encrypt the passwords or the passphrases as they generate more entropy in the digest computation.

    Author:
    mmoquillon

    • Field Detail

      • BAD_PASSWORD_MESSAGE

        static final String BAD_PASSWORD_MESSAGE
        A format message for the check(String, String) method when the password doesn't match the digest. It serves as a template for the error message to be carried by the AssertionError error.
        See Also:
        Constant Field Values

    • Method Detail

      • encrypt

        String encrypt​(String password)
        Encrypts the specified password by using a random salt (or no salt for some weakness algorithms).
        Parameters:
        password - the password to encrypt.
        Returns:
        a digest of the password.

      • encrypt

        String encrypt​(String password,
               byte[] salt)
        Encrypts the specified password by using the specified salt. If the salt is null or empty, then a random salt is computed.
        Parameters:
        password - the password to encrypt.
        salt - the salt to use to generate more entropy in the encryption of the password.
        Returns:
        a digest of the password.

      • check

        void check​(String password,
           String digest)
    throws AssertionError
        Checks the specified password matches the specified digest.

        Parameters:
        password - an unencrypted password.
        digest - a digest of a password with which the specified password has to be matched.
        Throws:
        AssertionError - if the digest wasn't computed from the specified password.

      • getSaltUsedInDigest

        byte[] getSaltUsedInDigest​(String digest)
        Gets the salt that was used to compute the specified digest.

        According to the cryptographic algorithm that computed the digest, the salt used in the encryption can be retrieved from the digest itself. In the case the salt cannot be determine, an empty one is then returned.

        If the digest cannot be analysed by this encryption then an IllegalArgumentException exception is thrown.

        Parameters:
        digest - the digest from which the salt has to be get.
        Returns:
        the salt or nothing (an empty salt) if it cannot be get from the digest.

      • doUnderstandDigest

        boolean doUnderstandDigest​(String digest)
        Does this encryption understand the specified digest? An encryption understands usually the digest it has itself generated. This method is for knowing the encryption that has computed a given digest.
        Parameters:
        digest - the digest to analyse.
        Returns:
        true if the specified digest was computed by this encryption, false if it doesn't understand it (either the encryption hasn't generated the digest or it cannot analyse it).