Salting and hashing passwords, Java and PHP compatibility

I'm trying to make a game that will tie into website content, and users' accounts will be shared across the site multiple versions of the client.

The problem is that the password needs to be salt-hashed in PHP, and I need to be able to verify through Java, and I can't find any information on secure cryptos (like PBKDF2) and ensuring that the generation is identical between PHP and Java.

I've seen some info on using PBKDF2 on PHP, OR Hmac with SHA-1, but not combining them as is suggested in the name of Java's "PBKDF2WithHmacSHA1". I have a handle now on the individual hashing for PHP or Java.

How do I set up the methods to be able to generate a salt and hash on PHP, store it in MySQL and be able to verify passwords through Java's hashing functions?

Would prefer to stick with PBKDF2, if at all possible (unless someone can suggest an equivalent that would work better for cross-compatibility).

P.S. Not particularly sure whether this deserved to be here or on Crypto SE. I figured, since I was asking about specific languages, I'd try here first.

Answers


So, it turns out it wasn't as complicated as I was thinking it was. I found this question that said that PHP's equivalent to Java's PBKDF2WithHmacSha1 was the hash_pbkdf2 function with the sha1 algorithm. From there it was just a matter of transferring the salt and hash from the PHP to the Java. Here's how it ended up:

1) PHP: For this one, I just copied the guy's pbkdf2 function and generated the salt and hash like he did.

2) Java: All that needed to happen was a bit of a change in the bytecode conversion, and it worked just fine.

After that, all I needed to do was modify the Java code to fit into my server/client setup (including secondary session hashing), and work out a few more bugs surrounding more salt and hash encoding and decoding through network transmission, and it works perfectly now.

A slightly more detailed answer is available on that other question.


Try to consider using a pre-built user and password management like JBoss KeyCloak. It is based on standards like OAuth2 and OpenID Connect, and things like password reset, user registration and social login come for free. It includes connectors for Java and JavaScript. Apparently connectors for PHP are available as well.


Need Your Help

simple image upload in aspnet mvc

asp.net-mvc file-upload upload

i'm building a simple school portal, i have stucked at uploading an image into my application, i.e a user should upload school image to my server, i have directory for images as ./Content/Images --...

Browser handling on 401 status

jquery json http status http-status-code-401

I been working on an application that basically interaction with the server over json api (Not CORS request mind you just plain ajax request to server with accepting a json format back)