Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #18821 > unrolled thread

get hexadecimal hash string for a number

Back to article view | Back to comp.lang.java.programmer

Contents

  get hexadecimal hash string for a number Magnus Warker <magnux@mailinator.com> - 2012-09-18 18:25 +0200
    Re: get hexadecimal hash string for a number markspace <-@.> - 2012-09-18 10:08 -0700
      Re: get hexadecimal hash string for a number Lew <lewbloch@gmail.com> - 2012-09-18 10:14 -0700
      Re: get hexadecimal hash string for a number Arne Vajhøj <arne@vajhoej.dk> - 2012-09-18 19:58 -0400
        Re: get hexadecimal hash string for a number markspace <-@.> - 2012-09-18 17:27 -0700
          Re: get hexadecimal hash string for a number Arne Vajhøj <arne@vajhoej.dk> - 2012-09-18 21:17 -0400
          Re: get hexadecimal hash string for a number Arne Vajhøj <arne@vajhoej.dk> - 2012-09-18 21:21 -0400
        Re: get hexadecimal hash string for a number Magnus Warker <warker@mailinator.com> - 2012-09-19 08:27 +0200
          Re: get hexadecimal hash string for a number Arne Vajhøj <arne@vajhoej.dk> - 2012-09-19 18:30 -0400
          Re: get hexadecimal hash string for a number Kevin McMurtrie <mcmurtrie@pixelmemory.us> - 2012-09-19 19:06 -0700
            Re: get hexadecimal hash string for a number Magnus Warker <warker@mailinator.com> - 2012-09-20 11:32 +0200
    Re: get hexadecimal hash string for a number Lew <lewbloch@gmail.com> - 2012-09-18 10:10 -0700
      Re: get hexadecimal hash string for a number Arne Vajhøj <arne@vajhoej.dk> - 2012-09-18 20:02 -0400
      Re: get hexadecimal hash string for a number Magnus Warker <warker@mailinator.com> - 2012-09-19 08:18 +0200
    Re: get hexadecimal hash string for a number Roedy Green <see_website@mindprod.com.invalid> - 2012-09-18 10:23 -0700
      Re: get hexadecimal hash string for a number Arne Vajhøj <arne@vajhoej.dk> - 2012-09-18 20:00 -0400
    Re: get hexadecimal hash string for a number Arne Vajhøj <arne@vajhoej.dk> - 2012-09-18 20:06 -0400
      Re: get hexadecimal hash string for a number markspace <-@.> - 2012-09-18 17:30 -0700
        Re: get hexadecimal hash string for a number Arne Vajhøj <arne@vajhoej.dk> - 2012-09-18 21:07 -0400
    Re: get hexadecimal hash string for a number Kevin McMurtrie <mcmurtrie@pixelmemory.us> - 2012-09-18 22:50 -0700
    Re: get hexadecimal hash string for a number Leif Roar Moldskred <leifm@dimnakorr.com> - 2012-09-19 01:06 -0500
    Re: get hexadecimal hash string for a number rossum <rossum48@coldmail.com> - 2012-09-19 17:34 +0100
      Re: get hexadecimal hash string for a number Magnus Warker <warker@mailinator.com> - 2012-09-20 11:30 +0200
        Re: get hexadecimal hash string for a number rossum <rossum48@coldmail.com> - 2012-09-21 12:48 +0100
          Re: get hexadecimal hash string for a number Lew <lewbloch@gmail.com> - 2012-09-21 10:15 -0700
            Re: get hexadecimal hash string for a number Magnus Warker <warker@mailinator.com> - 2012-09-26 06:11 +0200
              Re: get hexadecimal hash string for a number Arne Vajhøj <arne@vajhoej.dk> - 2012-09-26 09:29 -0400
                Re: get hexadecimal hash string for a number Gene Wirchenko <genew@ocis.net> - 2012-09-26 09:18 -0700
        Re: get hexadecimal hash string for a number markspace <-@.> - 2012-09-21 10:56 -0700
          Re: get hexadecimal hash string for a number Magnus Warker <warker@mailinator.com> - 2012-09-26 06:12 +0200
        Re: get hexadecimal hash string for a number Arne Vajhøj <arne@vajhoej.dk> - 2012-09-23 20:57 -0400

Page 1 of 2  [1] 2  Next page →

#18821 — get hexadecimal hash string for a number

Hi,

I want users to register on a site and send confirmation emails to them. 
These emails should contain a link like this:

http://myurl?registration=E4AC4BD4

Here, "E4AC4BD4" should be a unique string. My idea for such a string is 
just to hash an integer, i. e. the internal database key for the 
registration record.

However, I actually don't know how to get such a hash. I tried BCrypt, 
but this produces hashes built out of characters that I would not want 
to be in a URL, e. g. commatas and that.

I would like to have a string like this:

- hexadecimal only
- fixed size, e. g. always n characters, independend of the integer

Can you help?

Thank you!

Magnus

[toc] | [next] | [standalone]

#18822

On 9/18/2012 9:25 AM, Magnus Warker wrote:
> Hi,
>
> I want users to register on a site and send confirmation emails to them.
> These emails should contain a link like this:
>
> http://myurl?registration=E4AC4BD4
>
> Here, "E4AC4BD4" should be a unique string.


<http://docs.oracle.com/javase/7/docs/api/java/util/UUID.html>

I think UUID is better, as it is more random than just an integer, and 
I'm pretty sure it uses a hexadecimal representation, so you can just 
use it as-is.  Make a new one, call toString, and you're ready to go.

[toc] | [prev] | [next] | [standalone]

#18824

markspace wrote:
> Magnus Warker wrote:
>> I want users to register on a site and send confirmation emails to them.
>> These emails should contain a link like this:
>>
>> http://myurl?registration=E4AC4BD4
>>
>> Here, "E4AC4BD4" should be a unique string.
> 
> <http://docs.oracle.com/javase/7/docs/api/java/util/UUID.html>
> I think UUID is better, as it is more random than just an integer, and 
> I'm pretty sure it uses a hexadecimal representation, so you can just 
> use it as-is.  Make a new one, call toString, and you're ready to go.

It's better than UID that I suggested, too.

-- 
Lew

[toc] | [prev] | [next] | [standalone]

#18831

On 9/18/2012 1:08 PM, markspace wrote:
> On 9/18/2012 9:25 AM, Magnus Warker wrote:
>> I want users to register on a site and send confirmation emails to them.
>> These emails should contain a link like this:
>>
>> http://myurl?registration=E4AC4BD4
>>
>> Here, "E4AC4BD4" should be a unique string.
>
>
> <http://docs.oracle.com/javase/7/docs/api/java/util/UUID.html>
>
> I think UUID is better, as it is more random than just an integer, and
> I'm pretty sure it uses a hexadecimal representation, so you can just
> use it as-is.  Make a new one, call toString, and you're ready to go.

It meets the stated requirements of being unique.

But the original poster most likely have a requirement he
forgot to mention: that it should be hard to guess as well.

The point of emailing a confirmation link is to ensure that the
registrant indeed own the email address.

If the link is guessable then there is no point.

UUID's are not intended to be cryptographic secure, so they
are not the right toll for the job.

The correct approach is to use a cryptographic secure
RNG to generate a number of random bytes.

Being slightly paranoid I will recommend generating
maybe 100 bytes and do a SHA-256 of that just to
protect against weaknesses.

It does not cost much coding or many resources runtime, so
I can not see any reason to not do it the right way.

Arne

[toc] | [prev] | [next] | [standalone]

#18835

On 9/18/2012 4:58 PM, Arne Vajhøj wrote:

> The correct approach is to use a cryptographic secure
> RNG to generate a number of random bytes.
>


I looked up"cryptographic secure" on Wikipedia, and I have to disagree. 
  The key he's sending is going out as plain text.  Cryptographically 
secure RNGs are used to generate keys, you never reveal your seed value 
or there's no point to the keys either.  The UUID is plenty hard to 
guess; using a hard-to-guess value that you then send out as plain text 
isn't going to improve your security.

Also, there's human factors to consider as well.  "Fake" but valid email 
addresses are plenty easy to generate.  If someone really wants to use a 
bogus address, they just make one, get the link you send them, and then 
ignore the email address after that.  This whole process is easy to 
automate.  Hundreds or thousands of fake ID per day can be generated 
this way.  "Cryptographically secure" doesn't mean much when Alice and 
Mallory are the same person.  In this case the human factor is a coder 
who thinks "cryptographically secure" is going to solve some problem 
when it won't.

If you can show me how UUIDs are "easy to guess," I might retract my 
statements somewhat.

[toc] | [prev] | [next] | [standalone]

#18838

On 9/18/2012 8:27 PM, markspace wrote:
> On 9/18/2012 4:58 PM, Arne Vajhøj wrote:
>> The correct approach is to use a cryptographic secure
>> RNG to generate a number of random bytes.
>
> I looked up"cryptographic secure" on Wikipedia, and I have to disagree.
>   The key he's sending is going out as plain text.  Cryptographically
> secure RNGs are used to generate keys,

Yes and no.

A cryptographic secure RNG is really just an RNG that produces
values that are hard/impossible to predict.

It has an obvious usage for generating cryptography keys.

But it also has other usages.

Hard to guess id's are one of the other.

>                                   you never reveal your seed value
> or there's no point to the keys either.  The UUID is plenty hard to
> guess; using a hard-to-guess value that you then send out as plain text
> isn't going to improve your security.

It solves the problem it is intended to solve.

The purpose of a confirmation email with a link with such an
id is to verify that the owner of the email account is indeed
the one registering.

You can not ensure that if it is possible for the registering
person to guess the id.

It need to be hard to guess.

Which is what a cryptographic secure RNG provide.

> Also, there's human factors to consider as well.  "Fake" but valid email
> addresses are plenty easy to generate.  If someone really wants to use a
> bogus address, they just make one, get the link you send them, and then
> ignore the email address after that.  This whole process is easy to
> automate.  Hundreds or thousands of fake ID per day can be generated
> this way.  "Cryptographically secure" doesn't mean much when Alice and
> Mallory are the same person.  In this case the human factor is a coder
> who thinks "cryptographically secure" is going to solve some problem
> when it won't.

That is not relevant for what we are discussing.

We are discussing how to send out confirmation emails with links.

Whether that idea brings value or not is another question.

Arne

[toc] | [prev] | [next] | [standalone]

#18839

On 9/18/2012 8:27 PM, markspace wrote:
> If you can show me how UUIDs are "easy to guess," I might retract my
> statements somewhat.

UUID's type 1, 2 and 3 are not random at all.

UUID's type 4 is random but if it is not a cryptographic
secure RNG then it is vulnerable. And if it is something
trivial like a 32 bit LCG then it is trivial to break.

Arne

[toc] | [prev] | [next] | [standalone]

#18845

Hi Arne!

On 09/19/2012 01:58 AM, Arne Vajhøj wrote:

> The correct approach is to use a cryptographic secure
> RNG to generate a number of random bytes.

What about encrypting the database key?

> Being slightly paranoid I will recommend generating
> maybe 100 bytes and do a SHA-256 of that just to
> protect against weaknesses.

If we are paranoid, we should also remember the uniqueness requirement. 
"Random" could be a problem here.

> It does not cost much coding or many resources runtime, so
> I can not see any reason to not do it the right way.

I am sure that your approach will do the job. Thanks!

But I would like to know if encrypting the database key would also be 
ok. Can we encrypt it and also ensure a fixed-length hex value?

Magnus

-- 
This is Unix-Land. In quiet nights, you can hear the Windows machines 
reboot.

[toc] | [prev] | [next] | [standalone]

#18856

On 9/19/2012 2:27 AM, Magnus Warker wrote:
> On 09/19/2012 01:58 AM, Arne Vajhøj wrote:
>> The correct approach is to use a cryptographic secure
>> RNG to generate a number of random bytes.
>
> What about encrypting the database key?

That relies on the key being kept secret.

In many cases this is a necessary requirement, but not
in this case, so I would say that it is second best option.

And since Java UUID do provide a way to generate using
a cryptographic secure RNG as markspace pointed out, then it
it is even simpler to code than I expected (not that SecureRandom
is that hard to use in the first place).

>> Being slightly paranoid I will recommend generating
>> maybe 100 bytes and do a SHA-256 of that just to
>> protect against weaknesses.
>
> If we are paranoid, we should also remember the uniqueness requirement.
> "Random" could be a problem here.

If you make the column unique in the database then you will get an error
inserting and can then just pick another.

It will happen at average 1 out of some billion/trillion years, so
I think you can live with that.

>> It does not cost much coding or many resources runtime, so
>> I can not see any reason to not do it the right way.
>
> I am sure that your approach will do the job. Thanks!
>
> But I would like to know if encrypting the database key would also be
> ok. Can we encrypt it and also ensure a fixed-length hex value?

You can sure pad and encrypt.

But as explained above then I think it is just the second best
option.

Arne

[toc] | [prev] | [next] | [standalone]

#18857

In article <k3bonl$ta1$1@news.albasani.net>,
 Magnus Warker <warker@mailinator.com> wrote:

> Hi Arne!
> 
> On 09/19/2012 01:58 AM, Arne Vajhøj wrote:
> 
> > The correct approach is to use a cryptographic secure
> > RNG to generate a number of random bytes.
> 
> What about encrypting the database key?
> 
> > Being slightly paranoid I will recommend generating
> > maybe 100 bytes and do a SHA-256 of that just to
> > protect against weaknesses.
> 
> If we are paranoid, we should also remember the uniqueness requirement. 
> "Random" could be a problem here.
> 
> > It does not cost much coding or many resources runtime, so
> > I can not see any reason to not do it the right way.
> 
> I am sure that your approach will do the job. Thanks!
> 
> But I would like to know if encrypting the database key would also be 
> ok. Can we encrypt it and also ensure a fixed-length hex value?
> 
> Magnus

What is your database key?

If it's 1, 2, 3, 4, ... then encrypting it will simply reveal your 
encryption key. If characters aren't efficient for your keys, simply use 
a translation table between the random and sequential values.  Use the 
randomized value as a database key on all traffic leaving and entering 
your server.  It prevents the public from guessing new database keys.

create table urlparams
{
   param char(16) primary key,
   id integer unique not null references main_table (id)
}
-- param is the outside database key made of random characters
-- id is the local primary key

create table main_table
{
   id integer primary key,
 ...
}

create table other_table
{
   id integer primary key references main_table (id),
 ...
}

create table more_table
{
   id integer primary key references main_table (id),
 ...
}

You fetch all your table data together efficiently in one join:

select ... from main_table, other_table, more_table, urlparams
 where
  urlparams.param=?
  and urlparams.id=main_table.id
  and urlparams.id=other_table.id
  and urlparams.id=more_table.id
-- 
I will not see posts from Google because I must filter them as spam

[toc] | [prev] | [next] | [standalone]

#18860

On 09/20/2012 04:06 AM, Kevin McMurtrie wrote:

> What is your database key?
>
> If it's 1, 2, 3, 4, ... then encrypting it will simply reveal your
> encryption key.

It's an incrementing integer. What's the reason for revealing the key? 
Is it the shortness of the number or is it the fact, that the number 
increments?

If it's the shortness, what about padding?

> If characters aren't efficient for your keys, simply use
> a translation table between the random and sequential values.  Use the
> randomized value as a database key on all traffic leaving and entering
> your server.  It prevents the public from guessing new database keys.
>
> create table urlparams
> {
>     param char(16) primary key,
>     id integer unique not null references main_table (id)
> }
> -- param is the outside database key made of random characters
> -- id is the local primary key

Ok thanks...

Magnus

[toc] | [prev] | [next] | [standalone]

#18823

Magnus Warker wrote:
> I want users to register on a site and send confirmation emails to them. 
> These emails should contain a link like this:
> 
> http://myurl?registration=E4AC4BD4
> 
> Here, "E4AC4BD4" should be a unique string. My idea for such a string is 
> just to hash an integer, i. e. the internal database key for the 
> registration record.
> 
> However, I actually don't know how to get such a hash. I tried BCrypt, 
> but this produces hashes built out of characters that I would not want 
> to be in a URL, e. g. commatas and that.
> 
> I would like to have a string like this:
> 
> - hexadecimal only
> - fixed size, e. g. always n characters, independend of the integer
> 
> Can you help?

First of all, hashing a unique integer is silly. It's already unique!

If you have a reliably unique, stable integer ID, you don't need to hash it!

Just use the value.

Got that? Good, because an internal database ID is not reliable. 
It's *internal*!  It's not meant to be used externally! 

Got that? Good, because the database record has (or you're not doing it 
right) an external unique key, one based on visible attributes. You could 
hash that key.

Or you could perhaps use 
http://docs.oracle.com/javase/7/docs/api/java/rmi/server/UID.html

You'll want to store that UID with the registration record.

First and foremost google around for hash codes and how to use them.
Your lack of understanding will screw you otherwise.

-- 
Lew

[toc] | [prev] | [next] | [standalone]

#18833

On 9/18/2012 1:10 PM, Lew wrote:
> Magnus Warker wrote:
>> I want users to register on a site and send confirmation emails to them.
>> These emails should contain a link like this:
>>
>> http://myurl?registration=E4AC4BD4
>>
>> Here, "E4AC4BD4" should be a unique string. My idea for such a string is
>> just to hash an integer, i. e. the internal database key for the
>> registration record.
>>
>> However, I actually don't know how to get such a hash. I tried BCrypt,
>> but this produces hashes built out of characters that I would not want
>> to be in a URL, e. g. commatas and that.
>>
>> I would like to have a string like this:
>>
>> - hexadecimal only
>> - fixed size, e. g. always n characters, independend of the integer
>>
>> Can you help?
>
> First of all, hashing a unique integer is silly. It's already unique!
>
> If you have a reliably unique, stable integer ID, you don't need to hash it!
>
> Just use the value.

The real issue for the confirmation link problem is not
uniqueness but that it has to be hard to guess.

Which changes the solution quite a bit.

Arne

[toc] | [prev] | [next] | [standalone]

#18844

On 09/18/2012 07:10 PM, Lew wrote:
> Magnus Warker wrote:

> First of all, hashing a unique integer is silly. It's already unique!

> First and foremost google around for hash codes and how to use them.
> Your lack of understanding will screw you otherwise.

As Arne guessed, I should have said "encrypt" instead of "hash". You 
could also guess this, but I think you didn't want to.

Magnus

-- 
This is Unix-Land. In quiet nights, you can hear the Windows machines 
reboot.

[toc] | [prev] | [next] | [standalone]

#18825

On Tue, 18 Sep 2012 18:25:12 +0200, Magnus Warker
<magnux@mailinator.com> wrote, quoted or indirectly quoted someone who
said :

>http://myurl?registration=E4AC4BD4

see http://mindprod.com/jgloss/pseudorandom.html
to generate a number not easily guessed.

To display it, just convert your int to a hex string.
See http://mindprod.com/jgloss/hex.html
-- 
Roedy Green Canadian Mind Products http://mindprod.com
The iPhone 5 is a low end Rolex. 

[toc] | [prev] | [next] | [standalone]

#18832

On 9/18/2012 1:23 PM, Roedy Green wrote:
> On Tue, 18 Sep 2012 18:25:12 +0200, Magnus Warker
> <magnux@mailinator.com> wrote, quoted or indirectly quoted someone who
> said :
>
>> http://myurl?registration=E4AC4BD4
>
> see http://mindprod.com/jgloss/pseudorandom.html
> to generate a number not easily guessed.

Note that only the secure RNG's meet the "not easily guessed"
claim.

Arne

[toc] | [prev] | [next] | [standalone]

#18834

On 9/18/2012 12:25 PM, Magnus Warker wrote:
> I want users to register on a site and send confirmation emails to them.
> These emails should contain a link like this:
>
> http://myurl?registration=E4AC4BD4
>
> Here, "E4AC4BD4" should be a unique string. My idea for such a string is
> just to hash an integer, i. e. the internal database key for the
> registration record.
>
> However, I actually don't know how to get such a hash. I tried BCrypt,
> but this produces hashes built out of characters that I would not want
> to be in a URL, e. g. commatas and that.
>
> I would like to have a string like this:
>
> - hexadecimal only
> - fixed size, e. g. always n characters, independend of the integer

Use a secure RNG (java.security.SecureRandom) to generate 100 random bytes.

Convert it to 32 bytes with SHA-256 (java.security.MessageDigest).

And convert it to 64 hex characters.

Done.

Arne

[toc] | [prev] | [next] | [standalone]

#18836

On 9/18/2012 5:06 PM, Arne Vajhøj wrote:

> Use a secure RNG (java.security.SecureRandom) to generate 100 random
> bytes.


And UUID uses SecureRandom internally to generate its values, so this is 
bogus advice.  Sorry, Arne, but you really should have checked before 
you posted.

[toc] | [prev] | [next] | [standalone]

#18837

On 9/18/2012 8:30 PM, markspace wrote:
> On 9/18/2012 5:06 PM, Arne Vajhøj wrote:
>> Use a secure RNG (java.security.SecureRandom) to generate 100 random
>> bytes.
>
> And UUID uses SecureRandom internally to generate its values,

In that case UUID is good.
                                                     so this is
 > bogus advice. Sorry, Arne, but you really should have checked before
> you posted.

Maybe.

But UUID is not a Java specific concept and in general UUID's are
not guaranteed to be hard to guess values.

It turns out that Java UUID support two types of UUID's - of which
one of them per Java doc is using a "cryptographically strong
pseudo random number generator".

I was not aware.

Arne

[toc] | [prev] | [next] | [standalone]

#18842

In article <k3a74r$u3s$1@news.m-online.net>,
 Magnus Warker <magnux@mailinator.com> wrote:

> Hi,
> 
> I want users to register on a site and send confirmation emails to them. 
> These emails should contain a link like this:
> 
> http://myurl?registration=E4AC4BD4
> 
> Here, "E4AC4BD4" should be a unique string. My idea for such a string is 
> just to hash an integer, i. e. the internal database key for the 
> registration record.
> 
> However, I actually don't know how to get such a hash. I tried BCrypt, 
> but this produces hashes built out of characters that I would not want 
> to be in a URL, e. g. commatas and that.
> 
> I would like to have a string like this:
> 
> - hexadecimal only
> - fixed size, e. g. always n characters, independend of the integer
> 
> Can you help?
> 
> Thank you!
> 
> Magnus

You can't use a 32 bit integer here.  Valid values would quickly become 
easier to guess as you add users.

1) Use SecureRandom to generate a string of link-safe characters.
2) Insert the key into the database
3) Send the link


Base64 will work well for step one.  Base 64 encodes sets of 3 bytes 
into sets of 4 characters.  You'll want 9 SecureRandom bytes generating 
a 12 character id.


Should step two give you a unique key violation, buy a lottery ticket 
using the numbers.  If you don't retire on the winnings, make sure that 
SecureRandom doesn't have a stupid implementation in your JVM.  You can 
find it with the debugger.
-- 
I will not see posts from Google because I must filter them as spam

[toc] | [prev] | [next] | [standalone]

Page 1 of 2  [1] 2  Next page →

Back to top | Article view | comp.lang.java.programmer

csiph-web