Is there a way to decrypt SHA1? I have encrypted SOAP message's UsernameToken password:
String sha1Hash =null;
try{
MessageDigest md = MessageDigest.getInstance("SHA1");
byte[] digest = md.digest(text.getBytes());
sha1Hash =new String(Base64.encode(digest));
}catch (Exception e){
e.printStackTrace();
}
SHA1 is not, I repeat NOT, an encryption. It is a hash. The infinity of possible input byte sequences is mapped to 2^20 values so there are an infinity of possible input byte sequences (infinity / 2^20 is still infinity) for each SHA1 value. So, given a SHA1 hash value, which if those infinity of input byte sequences that will map to your value do you choose as your input?
P.S. It is normal to compare password hash values and not the actual password when validating a password.
Yes, I know it can bo done by comparing hash values, because both client and provider knows the password. But Oasis specs (http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf) says that password should be calculated from random word that only client knows, timestamp and actual password:
Password_Digest = Base64 ( SHA-1 ( nonce + created + password )
This is giving me a headache. Maybe it's better to use plain text password.