7.7: Ethical issues around Data Collection
Learning Objectives:
- Explaining the risks of privacy from collecting and storing personal data on computer systems.
Essential Knowledge:
- Data Collection: Methods (cookies, tracking, etc.)
- Ethical Data Use: Identifying Personal data (Personal Identifiable Information, Sensitive Personal Information)
- Security Practices: Data Encryption, Data Anonymization, Data Minimization
Privacy Protection mechanisms
- Encryption: Encode data for only authorized users to access.
- Anonymization: Remove personal information from data.
- Data Minimization: Collect only necessary data.
- User Control: Allowing users to control how their data is used
// Example string data
String originalData = "mySecretPassword123";
// Generate a hash code for the string
int hash = originalData.hashCode();
// Display the original data and its hash
System.out.println("Original Data: " + originalData);
System.out.println("Hash Code: " + hash);
// Demonstrate that the same string always produces the same hash
String sameData = "mySecretPassword123";
int sameHash = sameData.hashCode();
System.out.println("Same Data Hash: " + sameHash);
// Demonstrate that a small change in data produces a different hash
String modifiedData = "mySecretPassword124";
int modifiedHash = modifiedData.hashCode();
System.out.println("Modified Data: " + modifiedData);
System.out.println("Modified Data Hash: " + modifiedHash);
Original Data: mySecretPassword123
Hash Code: 1107444891
Same Data Hash: 1107444891
Modified Data: mySecretPassword124
Modified Data Hash: 1107444892
Uses of Hashing
- Hashing is used to store passwords securely but it is not enough for large scale industries.
- Hashing is used to conceal sensitive information like credit card information but not enough to protect it entirely.
Hashing with Salt
As we talked about earlier in the hashing section, hashing is a one-way function. This means that once you hash a value, you can’t get the original value back. This is useful for storing passwords, but it also means that if two users have the same password, they will have the same hash. This is a problem because if an attacker gets access to the hash, they can use a rainbow table to look up the hash and find the original password.
Thus, we use Hasing with Salt which means that even if 2 users have the same password, they will have different hashes because we add a random value to the password before hashing it. This random value is called a salt.
Homework
Homework Problem: Exploring Hashing and Privacy Protection (Extra Credit)
Problem:
Write a Java program that simulates how hashing works in protecting passwords. You will implement the following tasks:
- Task 1: Basic Password Hashing
- Write a program that accepts a user’s password input and generates a hash using the
hashCode()
method. - Display the original password and the hash to show how the same input always produces the same hash.
- Write a program that accepts a user’s password input and generates a hash using the
- Task 2: Salting the Password
- Enhance the program by generating a random salt for the password. Append the salt to the password before hashing, and display both the salt and the hashed password.
- Store the salt separately and demonstrate that the same password with a different salt produces a different hash.
- Task 3: Verifying the Password
- Write a method that simulates logging in by taking a password and salt as input, hashing them again, and comparing the result to the previously stored hash.
- If the hash matches, display “Login Successful”; otherwise, display “Login Failed.”
Extra Challenge (Optional):
- Research and use the
MessageDigest
class in Java to implement password hashing with a more secure algorithm like SHA-256. Modify your program to use this instead ofhashCode()
.
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Scanner;
public class PasswordHashing {
public static void main(String[] args) {
Scanner scanner = new Scanner(System.in);
// Task 1: Basic Password Hashing
System.out.print("Enter your password: ");
String password = scanner.nextLine();
String hash = hashWithSHA256(password);
System.out.println("Original Password: " + password);
System.out.println("Password Hash: " + hash);
// Task 2: Salting the Password
String salt = generateSalt();
String saltedHash = hashWithSHA256(password + salt);
System.out.println("Salt: " + salt);
System.out.println("Salted Password Hash: " + saltedHash);
// Task 3: Verifying the Password
System.out.print("Enter your password again for verification: ");
String passwordToVerify = scanner.nextLine();
String hashToVerify = hashWithSHA256(passwordToVerify + salt);
if (saltedHash.equals(hashToVerify)) {
System.out.println("Login Successful");
} else {
System.out.println("Login Failed");
}
scanner.close();
}
// Method to hash a string using SHA-256
public static String hashWithSHA256(String input) {
try {
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hashBytes = digest.digest(input.getBytes());
StringBuilder hexString = new StringBuilder();
for (byte b : hashBytes) {
String hex = Integer.toHexString(0xff & b);
if (hex.length() == 1) hexString.append('0');
hexString.append(hex);
}
return hexString.toString();
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
// Method to generate a random salt
public static String generateSalt() {
SecureRandom random = new SecureRandom();
byte[] saltBytes = new byte[16]; // 16 bytes for the salt
random.nextBytes(saltBytes);
StringBuilder salt = new StringBuilder();
for (byte b : saltBytes) {
String hex = Integer.toHexString(0xff & b);
if (hex.length() == 1) salt.append('0');
salt.append(hex);
}
return salt.toString();
}
}