0 
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
byte[] salt = new byte[16];
random.nextBytes(salt);

I would like to convert salt to a string to store/read. I don't seem to be able to get this to work. I have read that I need to use the right encoding but I'm not sure what encoding to use. I have tried the following but get junk:

String s = new String(salt, "UTF-8");
String s = new String(salt, "UTF-16");
String s = new String(salt);

Edit: For context, I'm trying to work through and understand this code. I'm trying to view the salt and password so I can monkey with the code.

asked Jul 7, 2012 at 2:05
4
  • 1
    What do you expect? What does "junk" look like, and how does it compare to your expectation? Commented Jul 7, 2012 at 2:07
  • 2
    I'd advise to use Base64 or just Integer.toHexString to represent bytes as String Commented Jul 7, 2012 at 2:08
  • You're converting random bytes to strings- of course it's going to be nonsensical. Commented Jul 7, 2012 at 2:10
  • 1
    What's more, it's likely to be invalid UTF-8, and there's a decent chance of it being invalid UTF-16 as well. (Since the both of them have to represent characters from a basically 21-bit character set, there's sequences to say when a char is represented by more than one or two bytes.) Commented Jul 7, 2012 at 2:18

2 Answers 2

7

You need to use Base64 (Apache Commons) class or sun.misc.BASE64Encoder/BASE64Decode to encode the byte array.

answered Jul 7, 2012 at 2:16
Sign up to request clarification or add additional context in comments.

1 Comment

avoid the sun.misc classes at all costs. They are not part of the java language spec, and may not be present on all JVM's. Specifically if you run things on Websphere or Weblogic, you're not using the oracle jvm.
3

Like AVD says, the solution is to use Base64 encoding or some other binary-as-text encoding. (For example, Hex encoding.)

Why? Because binary data is not text!

What you are currently doing is telling the String constructor that the bytes are text that has been correctly encoded as UTF-8 or UTF-16 or (in the last case) the platform's default encoding. This is patently false. The "junk" you are seeing is what you get if you attempt to decode random binary stuff as text.

Worse still, the decoding process is probably lossy when you apply it to random binary data. For instance, some sequences of bytes are simply invalid if you try to treat them as UTF-8. (The spec for UTF-8 says so!) When the UTF-8 decoder sees one of these invalid sequences, it replaces it with a character (such as a '?') that means "invalid character". If you then turn the characters in the string back into bytes, you will get a different byte sequence to the one that you started with. That's probably a disaster for your use-case.

answered Jul 7, 2012 at 3:53

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.