Hash function question

Similar Messages

• Secure hash function with salt to create a not spoofable PRC (SAP CRM)

  Hello SAP Security Community,
  SAP CRM Marketing provides a functionality called Personalized Response Code (PRC, 10 characters). This code can be used in mail, fax, sms or letters to customers. When the customer returns the PRC to the communication initiator, it can be mapped to a campaign and the business partner number of the customer. See also the [SAP Standard Help|http://help.sap.com/saphelp_crm700_ehp01/helpdata/EN/2a/c13463f09c4a1f9c45903e7a0a7230/frameset.htm].
  By default this standard implementation of the BAdI CRM_MKT_PRC_CONVERT is called:
  METHOD if_ex_crm_mkt_prc_convert~convert_prc.
    DATA lv_no      TYPE  crmt_mkt_icrh_prc_num.
    DATA lv_string  TYPE  string.
    DATA lv_pos     TYPE  int4.
    DATA lv_base31  TYPE  string VALUE '0123456789BCDFGHJKLMNPQRSTVWXYZ'.
  **** converting the numeric-base10 into base31
    lv_no = iv_prc.
    CLEAR lv_string.
    DO.
      lv_pos = lv_no MOD 31.
      lv_no  = lv_no DIV 31.
      CONCATENATE lv_base31+lv_pos(1) lv_string INTO lv_string.
      IF lv_no = 0.
        EXIT.
      ENDIF.
    ENDDO.
    MOVE lv_string TO ev_prc.
  ENDMETHOD.
  As you can see it does a simple base31 encoding of the provided input parameter iv_prc which is a number provided by the number range for PRC's.
  I want to use the PRC to make our customers registration process for a trade fair easier. We send out the PRC via a letter to the customers where we don't have an E-Mail address. The letter contains instructions which point the user to a Website that has an input field for the PRC. When the user submits the PRC I'd like to show him/her some personal information (Name, Address, E-Mail) that we lookup using the PRC in the CRM System. This information is then posted to a 3rd party website that has to be used to do the trade fair registration.
  If I would use the simple base31 encoding, then the current counter state could be easily decoded, the next number can be chosen and by applying base31 encoding again, the next valid PRC is created. This could then be misused to read personal information of another customer. I think what could solve this problem would be to use a secure hash function that allows also to be salted to create the PRC.
  Do you think I'm on the right track? Or would it be OK to use the classes described in [Note 1410294 - Support SHA2-family for Message Digest and HMAC|https://service.sap.com/sap/support/notes/1410294] and before doing the hashing add a random number to the PRC number that I've got from the number range? What problems do I run in as the PRC could not be longer than 12 characters? For sure I have to check that I don't create any PRC twice.
  Best regards
  Gregor

  Knowledge of PCR should not reveal any personal information to you.
  OK, but in this case the PCR is mapped to the campaign number and the BP-number. It would reveal the information.  Hence a second hash which only allows further processing if it matches. The second hash is a "signature" of the PCR.
  I don't agree with this. The security should NOT be based on hiding how system works. Only key should be secret. In this case it should all depend on quality of PRNG. Check Kerckhoffs's principle. Whenever I see proprietary algorithm in crypto I start to feel nervous about the system.
  Ok, you convinced me. That is also true, but you will have to save the key or the hash it produces to be able to verify it again when the user returns to the website - and in this case it is in clear text ABAP (unless Mr. Wolf wants to create an external program, like SAP does with C-calls).
  From the perspective of the user it is a password and they must be able to transfer it from a snail-mail readable text on paper into a website field.
  As Mr. Wolf has noticed, the next PCRs can be obtained by anyone who can decode standard code (knowing that the BADI is activated).
  I think a correctly placed split and concatenation does the trick for a 20 character field without knowing which part is the PCR and which is the signature (a human can still enter that into a website field).
  I think the big question (appart from the principle - which I agree with you on) is whether the admins and their family members are allowed to bid? Also do the bidders have acces to this system as technical consultants?? (for example to single test methods and function modules in the production system??).
  Also how does the process continue and finally get concluded? Typically there is some "horse trading" in the end anyway... 
  All these factors should influence the strength and complexity of the design, and maintenance of it IMO.
  But generally you are correct and I rest my case.
  @ Mr. Wolf: Are you enjoying the debate too much or are you going to give us more insight?
  Cheers,
  Jules

• A hash function

  Hi,
  I am doing a project in which I hope to build a database on the one of 3 servers and in fact I will build 3 databases totally. When I send keys and datas to server from client, I hope to put them into databases equally, i.e. the amount of data on every server are as equal as possible. Now, I am using the following method:
  In general, key is string and I convert the string to number N;
  m = N % 3;
  if m = 1, put the key and the corresponding data into the database on server 1;
  if m = 2, put the key and the corresponding data into the database on server 2;
  if m = 3, put the key and the corresponding data into the database on server 3;
  When I query the data, I also use m' = N % 3 to decide which server I should go to search my data.
  Right now the problem is that for persons, most of them may use some letters more often than other letters. And thus the amount of the three databases may be not equal. Can any one give another method, a hash function, to solve this problem or give me some ideas about some books or some websites?
  Thanks a lot.

  I think that the following method can is good for the
  evenly distribution,and this is on the webstie of
  http://wwwcsif.cs.ucdavis.edu/~fletcher/classes/110W98/
  ecture_notes/hash.html
  Polynomial addressing:
  If x is a character string of standard length L (a
  very common situation), then form a polynomial using
  the ASCII values of each character. For example:
  x = ABC
  h(x) = 32^2 * 'A' + 32 * 'B' + 'C'
  Points to note:
  The ASCII values of each character are represented by
  the character placed between single quotes
  The factor 32 is used because it represents
  left-shifting by 5 bits
  This is easily computed using Horner's Rule: in this
  example,
  h(x) = (32 * 'A' + 'B') * 32 + 'C'
  This is easily coded as an iterative loop for
  arbitrary length L
  The general formula for strings of length L:
  h(x) = 32^(L-1) * x1 + 32^(L-2) * x2 + ... + xL
  If the polynomial gets too large during computation
  using Horner's rule, then you can mod out by the table
  size after each iteration:
  h = x1;
  for(i = 2; i <= L; i++)
  h = (h * 32 + xi) % Size;
  (going around in circles)
  This is EXACTLY how String's hashcode function is implemented! At least in the JDKs I have (1.3.1 --> 1.4.2). So my question is still: What's wrong with it?
  Apparently nothing!
  Suns implementation in String uses 31 as the 'magic' number which is perhaps better than 32 because instead of being a single shift, 31 acts as a distributed sum of shifts so that each input bit ends up affecting more bits in the hashcode. So, for example, the LSB's value will reflect every input received (instead of possibly just the last). Nice huh? This is especially important if you're going to %3 the value.
  sjasja's suggestion using 33 as the value has a similar effect.
  So to ensure consisteny (as was overlooked by me and suggested by sjasja) cut&paste the code from String.hashcode and use it.

• How to encrypt password with hash function in Java?

  Hello, everybody!
  I will need to store user passwords in a database, but for stronger security I want to store these passwords hashed, so I know I will need a column for the password and for the salt value.
  So, I'd like that you indicate me a very good article or tutorial (preferable from Sun) that shows me how to use Java to encrypt and decrypt passwords with hash. It doesn't necessarily need to deal with database. I can implement this part myself after seeing how Java manage encryption with hash functions.
  Thank you very much.
  Marcos

  I will tell you more precisely what I want to get better for you to help me.
  As I said I implemented in .NET what I need to implement in Java now. In my
  database I have a table with this structure (I omitted that columns that are not
  necessary to our discussion):
  CREATE TABLE EMPLOYEES
  ID NOT NULL PRIMARY KEY,
  PASSWORD VARCHAR(40), -- password encrypted
  HASH_SALT VARCHAR(10) -- salt value used to encrypt password
  So, in the table I have a column to store the password encrypted and a column to
  store the salt value.
  Below is a little utility class (in C#) that I use to generate the salt and
  the hashed password.
  public static class PasswordUtilities
      public static string GenerateSalt()
          RNGCryptoServiceProvider encoder = new RNGCryptoServiceProvider();
          byte[] buffer = new byte[5];
          encoder.GetBytes(buffer);
          return Convert.ToBase64String(buffer);
      public static string EncryptPassword(string password, string salt)
          string encryptedPassword =
              FormsAuthentication.HashPasswordForStoringInConfigFile(
              password + salt, "SHA1");
          return encryptedPassword;
  }As you can see, the class is fairly simple. It only has two methods: one to
  generate the salt value that will be used to encrypt the password and another
  one to encrypt the password. The method HashPasswordForStoringInConfigFile of
  the FormsAuthentication class is what really hash the password with the salt
  value. This class belongs to the .NET library, so we can't see its source code,
  but it doesn't matter for our discussion as I know that we can implement
  something similar in Java.
  Below is a little sample code showing the use of the utility class above to
  encrypt a password.
  public class Encrypt
      public static void Main(string args[])
          string password = "Secret";
          string salt = PasswordUtilities.GenerateSalt();
          string encryptedPassword = PasswordUtilities.EncryptPassword(password, salt);
          // now I store 'encryptedPassword' in the PASSWORD column and 'salt'
          // in the HASH_SALT column in the EMPLOYEES table.
  }To verify if a password is correct I can use the code below:
  public class VerifyPassword
      public static void Main(string args[])
          string password = GetPasswordFromUser();
          // Let's assume that employee is an instance that corresponds to a row
          // in the database and the properties HashSalt and Password correspond
          // to the HASH_SALT and PASSWORD columns respectively.
          Employee employee = GetEmployeeFromDatabase(1);
          string salt = employee.HashSalt;
          string encryptedPassword = PasswordUtilities.EncryptPassword(password, salt);
          bool passwordMatch = employee.Password.Equals(encryptedPassword);
          System.Console.WriteLine(passwordMatch);
  }The only thing that interest me in this discussion is the PasswordUtilities class.
  As you saw its code is in C#, using the .NET framework libraries.
  What I want is to have this same little class coded in Java, to generate the salt
  value and to encrypt the password passed in using salt value generated. If you could
  help me to do that with articles that have what I want or with code that already do
  that I would really appreciate.
  Thank you in advance.
  Marcos

• HASH FUNCTION IN JAVA

  i need help!!
  i have to create a program in java in which i want to compare passwords by using hash function.More specifically,the parameters of hash should be like this hash(password,salt).
  which is the library that i have to use and how can i call it in main function?
  thank you!
  plz respond as soon as possible!

  The same way you would call it in any other method :) You should start with the JCE develop guide and go from there. The more reading you can do on cryptography the better. If you understand the concepts, the Java code will become easier to write.
  http://download.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#MDEx

• One way hash function in java

  Simply i want to save a password entered to a java program and save it in a MySQL database
  Here I want to encrypt that password and save it in the database.... I prefer one way hash function encryption because it fulfills my need.
  SHA-1 is the best in java now as I read from a article, is it?
  What I need is that if someone can post a complete code which uses SHA-1 (if it is the best preferred one).
  I've tried some codes published in the web but didn't work
  one code worked very well but when I entered characters like "@#$%%" it failed.
  Thank You!!!

  797241 wrote:
  I've search using your key terms and got a good code that works ("java sha-1 example")
  thanks for that
  I didn't got that when i was searchingHard to believe.
  So suggesting that working link was enough though you've put some other annoying comment tooIt is considered extremely bad mannered just to ask for code. If you have presented code that has problems and ask for help in fixing the problems you will normally get help but just to ask for code implies you are very lazy.
  thanks for that too
  I would rather prefer if you would have written "You are not going to get an answer, get the hell out of here!!!"Now that would have invoked the wrath of the moderators!
  P.S. Just using a SHA-1 digest is insecure as the result is open to a dictionary attack. You should use a randomly seeded digest with both the random value and digest value being stored in the database.

• Help with Hash Function in Properties

  Hi, I need to know the algorithm of the Hash Function that is used by Java in its HashMap, Properties, etc... classes.
  Can I get it somewhere or is it private? I need it for documentation purposes.
  Thanks!
  Sigurd

  Hi.
  You can download the source for the entire JDK from the usual download locations, so you can see the details of the implementation there. If you're looking for a higher level description, I don't know where you'd find that, other than a few pages which document general ways to get well distributed hashes; look at http://java.sun.com/developer/Books/effectivejava/Chapter3.pdf for an example of this - a chapter from the mighty Joshua Bloch's 'Effective Java'.
  Regards,
  Lance

• SD & FI BI functional Questions

  Hi Experts,
  I need to ask some questions to customer on SD & FI functional related questions for BI Analytical reports..
  Already cutomer implemented Data ware house Informatica with congnos reporting tool.
  right now they want to implement BI.
  please any one can share on what type functional questions could ask the customer.
  Advance Thanks,
  Bala.

  Hi,
  A few more pointers.
  Start with Reports. What the client is using. What he is expecting.
  If he got existing reports map the fields with Business Content BW Fields. Go to Business content and make a list of queries which are delivered from SAP. Explain them the KPI's. This should be good to start with. Also check the Tcodes they use.
  Look for DataSources that get data from theses Tcode's.
  Project Preparation (Initial stuff -- Do a conceptual review after this phase requirements gathering)
  Collect requirement thru interviews with Business teams /Core users / Information Leaders.
  Study & analyze KPI's (key figures) of Business process.
  Identify the measurement criteria's (Characteristics).
  Understand the Drill down requirements if any.
  Understand the Business process data flow if any.
  Identify the needs for data staging layers in BW – (i. e need for ODS if any)
  Understand the system landscape.
  Prepare Final Requirements Documents in the form of Functional Specifications containing:
  Report Owners, Data flow, KPI's, measurement criteria's, Report format along with drilldown requirements.
  Hope this helps.
  Thanks,
  JituK

• Hash function in directory server

  Dear all,
  We have a very large database so when we setup our LDAP server, we add a number(between 0 and 256) ou to LDAP schema. The number is calculated from the user email address with a hash function.
  However we have such a problem when we want to migrate our old system to JMS. How can we let JMS to know the hash number from user's email? Is there any way to add a hash function to JMS's directory-access-API so that JMS would use both user's email and the hash number to access LDAP?
  Thanks for any help from you.
  Alex

  Dear all,
  We have a very large database so when we setup our
  LDAP server, we add a number(between 0 and 256) ou to
  LDAP schema. The number is calculated from the user
  email address with a hash function. This sounds like an unneeded complication. Why?
  >
  However we have such a problem when we want to
  migrate our old system to JMS. How can we let JMS to
  know the hash number from user's email? Is there any
  way to add a hash function to JMS's
  directory-access-API so that JMS would use both
  user's email and the hash number to access LDAP?You might look at the domain_uplevel setting in option.dat, but I'd personally rather have you loose the hash.
  We have deployments without such complications, into the several million Directory entries, with no problem, and no hash.
  >
  Thanks for any help from you.
  Alex

• Sumifs function question

  Hi, Everyone, I have a function question of Sumifs, here a sample as follows,
  =SUMIFS(Budget :: E4:E14,Budget :: C4:C14,"=5003677000",Budget :: B4:B14,OR("=Transit","=Drawing cash")), according to the logic, I think like this, but it's wrong. So how to insert the OR function to the Sumifs function? May someone find the mistake in the function?
  Thank you.
  Alex

  I think you would actually do a sum of simifs, i.e. Sumif(....."Transit") + Sumif(....."Drawing Cash")
  Basically if you have two sumifs that differ in only one condition that would be treated like an OR in SQL, then make one Sumif for each unique set of  conditions and add them up
  Jason

• Hashing function trouble???

  I'm using a standard hashing function for strings (ala P. J. Weingberger). It's worked fine on various unices (linux,freebsd,etc) and on a solaris 5.7 platform. However, I'm getting errors when I try to run on a Solaris 8 environment, Ultra1 (32-bit). I'm not familiar with Solaris, but perhaps someone could weigh in with why the following function is causing trouble... Different bitwise ops for Solaris 8? Also, the compiler is gcc.
  Here's the function. Thanks!
  unsigned int hashpjw (const void *key) {
  const char *ptr;
  unsigned int val;
  val=0;
  ptr=key;
  while (*ptr != '\0') {
  int tmp;
  val = (val << 4) + (*ptr);
  if (tmp = (val & 0xf0000000)) {
  val = val ^ (tmp >> 24);
  val &= ~tmp;
  ptr++;
  return (val%BIG_MAX);

  Solaris 2.6 and above use 64-bit versions of many
  libraries. If you are assuming 32-bit operations, your
  code will have problems. Consult the man-pages for
  how to get different compatability modes. There were
  dual 32 and 64 bit compat libs on Solaris 2.6. Not
  sure about Solaris 8. This is in the OS primarily, not
  the compilers, because lots of apps and any thrid
  party compilers have to make the choice between 32 bit
  and 64 bit compat.

• OIC: Functional Question(11.5.10)

  Hi All,
  I would like to know answer for the following functional question in Oracle 11.5.10 Incentive Compensation Application(OIC). I would greatly appreciate if you anyone can reply for this.
  1. Question on Foreign currency exchange rates:
  We know that OIC cannot handle foreign currency exchange rates. Since all of our offer letters to the Sales guys are in local currency what we end up doing is picking an exchange rate on July 1st every year and converting them to US $. What I’m wondering is why couldn’t we just set them up in OIC in their local currency, without converting them?
  Is that possible? OIC can handle this?
  2. In OIC, Can I enter a DUMMY Acoount Executive (since we are not going to credit any single person in the Primary Account Executive role) that bookings could be credited to in order to ensure they roll up to the appropriate manager?
  a) Is that possible?
  b) Does this DUMMY Acoount Executive should be part of the HR Employee setups as well?, In OIC should we need to load the transaction for DUMMY Account
  Executive so that credit will get rolled up to approriate managers based on the Group hiearchy setups?
  Thanks,
  Johnson
  Edited by: user10413783 on Jun 23, 2009 4:06 PM

  Hi Johnson,
  2. In OIC, Can I enter a DUMMY Acoount Executive (since we are not going to credit any single person in the Primary Account Executive role) that bookings could be credited to in order to ensure they roll up to the appropriate manager?
  Yes
  b) Does this DUMMY Acoount Executive should be part of the HR Employee setups as well?, In OIC should we need to load the transaction for DUMMY Account
  Executive so that credit will get rolled up to approriate managers based on the Group hiearchy setups?
  You do not need to set up the dummy resource as employee. All you need is to create as OTHER type of resource and add that resource to group.
  Hope this helps.
  Thanks
  Srini

• Hash Function used by oracle

  Hi,
  I am working on partition tables.
  I want to know more abt how hash partitioning works.
  I want to know the exact hash function used by oracle.
  I searched a lot, but couldn't find an exact answer on the net.
  Plz assist.
  Thanks in advance.
  Subha

  EdStevens wrote:
  Justin Mungal wrote:
  saratpvv wrote:
  This file contains port list
  $ORACLE_HOME/install/portlist.iniHey... neat... I didn't know about that.
  But I would still go with netstat just to be sure, as previously suggested. The portlist.ini file listed the EM and EM Agent ports, but didn't list the listener port... tsk tsk portlist.ini!Because you are expecting portlist.ini to be used for something that it is NOT used for ...
  I can't find the documentation now, but it seems I remember reading that oracle uses its portlist.ini file to track what ports it has assigned to various (but not all) of its services. But it is NOT used to actually configure those services. THAT is done with various .config or .xml files. See http://docs.oracle.com/cd/E11882_01/install.112/e24321/app_port.htm#sthref841 for some additional insight.
  Roger. I haven't actually used it, as I had only just heard about it. Thank you though.

• Hash function algorthim

  I want to use hash function for my DB to retrive data quickly...please help..

  Use cost-based optimizer for hash function. Hash Join builds a hash table from the rows in the driving table and uses the same hash formula on each row of the driven table to find matches.
  Please look into tuning doc for more at below link
  http://www.oracle.com/pls/db102/homepage

• Hash function - seeking for example

  Can some one give me an example of Hash function in flex. I wont to turn a string to hash code and then test if other string is giving me same hash code or in other words: I wont to set a password as part of my flex app.
  This is what I found http://help.adobe.com/en_US/FlashPlatform/beta/reference/actionscript/3/mx/utils/SHA256.ht ml on the help pages.
  I hope you be able to help me.

  var b:ByteArray = new ByteArray();
  b.writeMultiByte(data.toString(), "UTF-8");
  SHA256.computeDigest(b);