Week 132 — How can one compute an SHA-256 hash in a Java application?
Question of the Week #132
How can one compute an SHA-256 hash in a Java application?
3 Replies
Hashing is the process of processing arbitrary input in a way that results in a (typically fixed-length) output which is the same given the same input. Good hashing functions distribute content over the complete output range and reduce the likelihood of collisions (two different inputs producing the same output). Cryptographic hashing functions have additional requirements like it being extremely computationally expensive to compute an input that can be hashed to a given output and similar inputs having completely unrelated hashes.
Hashing is used for efficient storage (e.g. via
HashMaps which uses hashing to distribute data), checksums (e.g. verifying integrity of a file) or password hashing (but SHA-256 shouldn't be used for passwords as explained later).
Java provides the MessageDigest class to compute hashes. To obtain an instance of that class, the MessageDigest.getInstance factory method can be used with the algorithm name as a parameter. After obtaining a MessageDigest, a hash can be calculated by passing a byte[] to a the digest() method which returns the hash as a byte[].
To compute hashes of Strings, the Strings can be converted to a byte[] using the getBytes() method.
If a textual representation of a hash is needed (for example include it as part of a JSON document), the resulting byte[] can be converted to a base64 String using the Base64 class.
SHA256 should not be used for passwords for multiple reasons. For example, passwords should be salted (add random content before computing the hash and storing the salt with the hash) to prevent different users with the same password having the same password hash and possibly also peppered (using an additional secret that is stored on a different medium and not in the database). Another reason why SHA256 should not be used for passwords is that it does not allow customizing the length strength (amount of computational resources required for computing the hash) as better hashing is needed when more computational resources are available. Algorithms like BCrypt or Argon2 provide salting and strength customization and should be used for password hashing instead.
📖 Sample answer from dan1st
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class SHA256Hasher {
public static void main(String[] args) {
// This is the text we want to turn into a hash
String input = "Hello, world!";
// Call our function that does the hashing String hash = computeSHA256(input);
// Print the original text and the hash result System.out.println("Original text: " + input); System.out.println("SHA-256 hash: " + hash); } // This method takes any text and gives back its SHA-256 hash as a string public static String computeSHA256(String text) { try { // Step 1: Get a SHA-256 hashing tool ready MessageDigest digest = MessageDigest.getInstance("SHA-256"); // Step 2: Feed the text into the hashing tool as bytes byte[] hashBytes = digest.digest(text.getBytes()); // Step 3: Convert the hashed bytes into a readable hex string StringBuilder hexString = new StringBuilder(); // Go through each byte of the hashed data for (byte b : hashBytes) { // Convert byte to hex (two characters) String hex = Integer.toHexString(0xff & b);
// If hex is only one character, add a '0' to make it two characters if (hex.length() == 1) hexString.append('0');
// Add the hex characters to our final string hexString.append(hex); } // Step 4: Return the full hash as a hex string return hexString.toString(); } catch (NoSuchAlgorithmException e) { // This means SHA-256 isn't available, which is very unlikely throw new RuntimeException("SHA-256 algorithm not found!", e); } } }
// Call our function that does the hashing String hash = computeSHA256(input);
// Print the original text and the hash result System.out.println("Original text: " + input); System.out.println("SHA-256 hash: " + hash); } // This method takes any text and gives back its SHA-256 hash as a string public static String computeSHA256(String text) { try { // Step 1: Get a SHA-256 hashing tool ready MessageDigest digest = MessageDigest.getInstance("SHA-256"); // Step 2: Feed the text into the hashing tool as bytes byte[] hashBytes = digest.digest(text.getBytes()); // Step 3: Convert the hashed bytes into a readable hex string StringBuilder hexString = new StringBuilder(); // Go through each byte of the hashed data for (byte b : hashBytes) { // Convert byte to hex (two characters) String hex = Integer.toHexString(0xff & b);
// If hex is only one character, add a '0' to make it two characters if (hex.length() == 1) hexString.append('0');
// Add the hex characters to our final string hexString.append(hex); } // Step 4: Return the full hash as a hex string return hexString.toString(); } catch (NoSuchAlgorithmException e) { // This means SHA-256 isn't available, which is very unlikely throw new RuntimeException("SHA-256 algorithm not found!", e); } } }
Submission from karlas1.