Using MD5 or SHA hashing in Java


MD5 and SHA are commonly used hashing and salting algorithm, we use MessageDigest to apply algorithm and then encode value in HEX encoding to hash the string. This tutorial can be useful for beginners as well as advance level programmer.

Tutorial Level: ALL
Tools Required: Any text editor or IDE you like

In this tutorial we will dicsuss the hashing of strings using MD5 and SHA algorithm in Java programming language. Hashing is commonly used method when we are working with the passwords. Very common application is to store and match the password in database for the autentication purpose. Even some of the javaee container also support md5 and sha based realm security authentication and authorization.

In this article we will not dive deeper into the matter of ssecurity but will limit the course to basic hex salting using md5/sha. This demonstration uses the SHA as well as MD5 to show you the result, its upto you which one you would like to use in your application. The process is in overall 4 steps.

  1. Get the instance of the Algorithm to apply.
  2. Feed the value into algorithm.
  3. Digest the value.
  4. Encode the digested value into hex encoding.

following is the code sample which will show you the operation, first read out and try to understand and map the above defined steps to the code below.


package security;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class HashPassword {
    public static String hashPassword(String password) throws NoSuchAlgorithmException{
        MessageDigest md = MessageDigest.getInstance("SHA");
        md.update(password.getBytes());
        byte[] b = md.digest();
        StringBuffer sb = new StringBuffer();
        for(byte b1 : b){
            sb.append(Integer.toHexString(b1 & 0xff).toString());
        }
        return sb.toString();
    }
    
    public static void main(String[] args){
        String password = "password";
        System.out.println(password);
        try{
            System.out.println(hashPassword(password));
        }
        catch(NoSuchAlgorithmException e){
            System.out.println(e);
        }
        
    }
}

In the program we have created a static method so that we could call it directly into the main method(for demonstration purpose only). The focus shall be on the hashPassword() method, it takes a string as parameter and result the salted string.

First of all we need an instance of the MessageDigest class, which will in turn specify which type of algorithm we want in our application. in the code we have used SHA. if you want to use the MD5 just replace the SHA with MD5, nothing else needs to be changed.

Once you got hold of the algorithm, you need to feed the input to the algorithm which is done using the update method, it has three forms(please read documentation for more info). We are supplying the whole input as byte array. This will prepare our base into the algorithm.

Third step is to digest the feeded value using the digest method, this returns a byte array after the algorithm is done with it. Ultimately we are left with the last step.

In the final step we are only repearing byte by byte on the array converting it into hex encoded form, We have used string buffer to hold the values while in loop. Thus making it better than using String(Does not matters that much but makes it slightly better).

Output: when using MessageDigest md = MessageDigest.getInstance("SHA");
password
5baa61e4c9b93f3f68225b6cf8331b7ee68fd8

Output: when using MessageDigest md = MessageDigest.getInstance("MD5");
password
5f4dcc3b5aa765d61d8327deb882cf99

Output: when using MessageDigest md = MessageDigest.getInstance("ERROR");
password
java.security.NoSuchAlgorithmException: ERROR MessageDigest not available

As you can see in first two runs we obtain different salt for same value because of using different algorithm, Last one(ERROR), isn't really any algorithm, we just run it like that to show that the MessageDigest may throw an exception of type NoSuchAlgorithm in case the algorithm support is not available in the system, however java security specifies support for popular hashing algorithms.