Security Top

I just announced the new Learn Spring course, focused on the fundamentals of Spring 5 and Spring Boot 2:

>> CHECK OUT THE COURSE

Java Top

I just announced the new Learn Spring course, focused on the fundamentals of Spring 5 and Spring Boot 2:

>> CHECK OUT THE COURSE

1. Overview

The SHA (Secure Hash Algorithm) is one of the popular cryptographic hash functions. A cryptographic hash can be used to make a signature for a text or a data file. In this tutorial, let’s have a look how we can perform SHA-256 and SHA3-256 hashing operations using various Java libraries.

The SHA-256 algorithm generates an almost-unique, fixed-size 256-bit (32-byte) hash. This is a one-way function, so the result cannot be decrypted back to the original value.

Currently, SHA-2 hashing is widely used as it is being considered as the most secure hashing algorithm in the cryptographic arena.

SHA-3 is the latest secure hashing standard after SHA-2. Compared to SHA-2, SHA-3 provides a different approach to generate a unique one-way hash, and it can be much faster on some hardware implementations. Similar to SHA-256, SHA3-256 is the 256-bit fixed-length algorithm in SHA-3.

NIST released SHA-3 in 2015, so there are not quite as many SHA-3 libraries as SHA-2 for the time being. It’s not until JDK 9 that SHA-3 algorithms were available in the built-in default providers.

Now, let’s start with SHA-256.

Further reading:

Locality-Sensitive Hashing in Java Using Java-LSH

A quick and practical guide to applying the Locality-Sensitive Hashing algorithm in Java using the java-lsh library.

Read more

MD5 Hashing in Java

A quick writeup show you how to deal with MD5 hashing in Java.

Read more

A Guide to HashSet in Java

A quick but comprehensive introduction to HashSet in Java.

Read more

2. MessageDigest Class in Java

Java provides inbuilt MessageDigest class for SHA-256 hashing:

MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] encodedhash = digest.digest(
  originalString.getBytes(StandardCharsets.UTF_8));

However, here we have to use a custom byte to hex converter to get the hashed value in hexadecimal:

private static String bytesToHex(byte[] hash) {
    StringBuffer hexString = new StringBuffer();
    for (int i = 0; i < hash.length; i++) {
    String hex = Integer.toHexString(0xff & hash[i]);
    if(hex.length() == 1) hexString.append('0');
        hexString.append(hex);
    }
    return hexString.toString();
}

3. Guava Library

The Google Guava library also provides a utility class for hashing.

First, let’s define the dependency:

<dependency>
    <groupId>com.google.guava</groupId>
    <artifactId>guava</artifactId>
    <version>20.0</version>
</dependency>

Now, here’s how we can use Guava to hash a String:

String sha256hex = Hashing.sha256()
  .hashString(originalString, StandardCharsets.UTF_8)
  .toString();

4. Apache Commons Codecs

Similarly, we can also use Apache Commons Codecs as well:

<dependency>
    <groupId>commons-codec</groupId>
    <artifactId>commons-codec</artifactId>
    <version>1.11</version>
</dependency>

Here’s the utility class – called DigestUtils – that supports SHA-256 hashing:

String sha256hex = DigestUtils.sha256Hex(originalString);

5. Bouncy Castle Library

5.1. Maven Dependency

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcprov-jdk15on</artifactId>
    <version>1.60</version>
</dependency>

5.2. Hashing using the Bouncy Castle Library

The Bouncy Castle API provides a utility class for converting hex data to bytes and back again.

However, it is required to populate a digest using the built-in Java API first:

MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hash = digest.digest(
  originalString.getBytes(StandardCharsets.UTF_8));
String sha256hex = new String(Hex.encode(hash));

6. SHA3-256

Now let’s continue with SHA3-256. SHA3-256 hashing in Java is nothing quite different from SHA-256.

6.1. MessageDigest Class in Java

Starting from JDK 9, we can simply use the built-in SHA3-256 algorithm:

final MessageDigest digest = MessageDigest.getInstance(SHA3_256);
final byte[] hashbytes = digest.digest(
  originalString.getBytes(StandardCharsets.UTF_8));
String sha3_256hex = bytesToHex(hashbytes);

6.2. Apache Commons Codecs

Apache Commons Codecs provides a convenient DigestUtils wrapper for the MessageDigest class. This library began to support SHA3-256 since version 1.11 and it requires JDK 9+ as well:

String sha3_256hex = new DigestUtils(SHA3_256).digestAsHex(originalString);

6.3. Keccak-256

Keccak-256 is another popular SHA3-256 hashing algorithm. Currently, it serves as an alternative to the standard SHA3-256. Keccak-256 delivers the same security level as the standard SHA3-256, and it differs from SHA3-256 only on the padding rule. It has been used in several blockchain projects, such as Monoro.

Again, we need to import the Bouncy Castle Library to use Keccak-256 hashing:

Security.addProvider(new BouncyCastleProvider());
final MessageDigest digest = MessageDigest.getInstance(KECCAK_256);
final byte[] encodedhash = digest.digest(
  originalString.getBytes(StandardCharsets.UTF_8));
String sha3_256hex = bytesToHex(encodedhash);

We can also make use of the Bouncy Castle API to do the hashing:

Keccak.Digest256 digest256 = new Keccak.Digest256();
byte[] hashbytes = digest256.digest(
  originalString.getBytes(StandardCharsets.UTF_8));
String sha3_256hex = new String(Hex.encode(hashbytes));

7. Conclusion

In this quick article, we had a look at few ways of implementing SHA-256 and SHA3-256 hashing in Java, using both built-in and third-party libraries.

The source code of the examples above can be found on the GitHub project.

Security bottom

I just announced the new Learn Spring course, focused on the fundamentals of Spring 5 and Spring Boot 2:

>> CHECK OUT THE COURSE

Java bottom

I just announced the new Learn Spring course, focused on the fundamentals of Spring 5 and Spring Boot 2:

>> CHECK OUT THE COURSE

newest oldest most voted
Notify of
Muni
Guest
Muni

Hi this is very nice tutorial am fan u and ur website keep doing same.

Muni
Guest
Muni

Do you have any post on encryption in Java 8. Please reply me.

Eugen Paraschiv
Guest

Does this help? Cheers,
Eugen.