Hashing password and comparing with MD5

Question

I have the following requirement.

1. save a user password converted to hash(digested)
2. when comparing with data base, add random bytes with the password given from user 
3. now send the random bytes added password  to DAO class
4. separate the random byte from password 
5. compare with the stored hashed(digested) password

I tried some thing similar but it gives array out of bound exception.

package poc;

import com.sun.xml.internal.ws.message.ByteArrayAttachment;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.util.Arrays;


public class HashedPassword {
    public static final String CRYPTOGRAPHY_ALGORITHM = "MD5";
    public static final String CHAR_SET = "UTF8";
    public static void main(String[] arg){
        System.out.println(createPassword("r14@17*$"));
    }
    public static byte[] createPassword(String password){
        byte[] salt = new byte[12];
        byte[] digestedPassword =null;
        byte[] digestedPasswordPwd =null;
        try {
                SecureRandom random = new SecureRandom();
                random.nextBytes(salt);
                MessageDigest mdPassword = MessageDigest.getInstance(CRYPTOGRAPHY_ALGORITHM);
                MessageDigest mdPasswordPawd = MessageDigest.getInstance(CRYPTOGRAPHY_ALGORITHM);

                mdPassword.update(salt);
                mdPassword.update(password.getBytes(CHAR_SET));

                mdPasswordPawd.update(password.getBytes(CHAR_SET));
                digestedPassword = mdPassword.digest();
                digestedPasswordPwd = mdPasswordPawd.digest();
                byte[] resultBytes= new byte[1000];

                System.arraycopy(digestedPassword, 11, resultBytes,0,digestedPassword.length);

                if(Arrays.equals(resultBytes, digestedPasswordPwd)){
                    System.out.println("match");
                }else{
                    System.out.println("no-match");
                }

        } catch (Exception ex) {
            ex.printStackTrace();
        }
        System.out.println("digestedPassword : "+digestedPassword);
        System.out.println("digestedPasswordPwd : "+digestedPasswordPwd);
        return digestedPassword;
    }

}

Stacktrace :

java.lang.ArrayIndexOutOfBoundsException
digestedPassword : [B@9980d5
digestedPasswordPwd : [B@1d95492
[B@9980d5
    at java.lang.System.arraycopy(Native Method)
    at poc.HashedPassword.createPassword(HashedPassword.java:43)
    at poc.HashedPassword.main(HashedPassword.java:23)

so please help me how to go about it

Kind Regards

Answer 1

This line is at fault:

System.arraycopy(digestedPassword, 11, resultBytes,0,digestedPassword.length); 

It tries to copy digestedPassword.length bytes from the digestedPassword, starting from position 11. So it tries to copy 11 bytes that are not there.

Try this one instead:

System.arraycopy(digestedPassword, 11, resultBytes,0,digestedPassword.length-11); 

Copy from the API doc for System.arraycopy:

Otherwise, if any of the following is true, an IndexOutOfBoundsException is thrown and the destination is not modified:

The srcPos argument is negative.
The destPos argument is negative.
The length argument is negative.
srcPos+length is greater than src.length, the length of the source array.
destPos+length is greater than dest.length, the length of the destination array.

Answer 2

First of all, I think from your code,you are missing the bit related to removing/separate the random bytes from password.so it might be never be equal.

regarding your ArrayIndexOutOfBoundsException i suggest,please use

System.arraycopy(digestedPassword, 0, resultBytes,0,digestedPassword.length);