Cryptography API
NexAuth provides comprehensive cryptography utilities for secure password storage, data encryption, and cryptographic operations.Password Hashing
Bcrypt Hashing
CryptoService crypto = NexAuthAPI.getInstance().getCryptoService();
// Hash password
String hashedPassword = crypto.hashPassword("myPassword123");
// Verify password
boolean matches = crypto.verifyPassword("myPassword123", hashedPassword);
if (matches) {
// Password is correct
}
Custom Work Factor
// Hash with custom cost factor (4-31, default 12)
String hashedPassword = crypto.hashPassword("password", 14);
// Higher cost = more secure but slower
// Cost 12 = ~300ms on modern hardware
// Cost 14 = ~1.2s on modern hardware
Password Migration
// Migrate from old hash to new hash
String oldHash = "old_algorithm_hash";
String newPassword = "userInput";
if (crypto.isLegacyHash(oldHash)) {
// Verify with old algorithm
if (crypto.verifyLegacy(newPassword, oldHash)) {
// Rehash with bcrypt
String newHash = crypto.hashPassword(newPassword);
// Save new hash to database
}
}
Data Encryption
AES Encryption
// Encrypt sensitive data
String plaintext = "sensitive data";
String encrypted = crypto.encrypt(plaintext);
// Decrypt data
String decrypted = crypto.decrypt(encrypted);
// Encrypt with custom key
String key = crypto.generateKey();
String encrypted = crypto.encrypt(plaintext, key);
String decrypted = crypto.decrypt(encrypted, key);
File Encryption
// Encrypt file
File inputFile = new File("data.txt");
File outputFile = new File("data.enc");
crypto.encryptFile(inputFile, outputFile);
// Decrypt file
File encryptedFile = new File("data.enc");
File decryptedFile = new File("data_decrypted.txt");
crypto.decryptFile(encryptedFile, decryptedFile);
Secure Random
Generate Random Data
// Generate random bytes
byte[] randomBytes = crypto.generateRandomBytes(32);
// Generate random string
String randomString = crypto.generateRandomString(16);
// Generate random password
String password = crypto.generatePassword(12, true, true, true);
TOTP Secret Generation
// Generate TOTP secret
String secret = crypto.generateTOTPSecret();
// Generate backup codes
List<String> backupCodes = crypto.generateBackupCodes(10);
// Verify TOTP code
boolean valid = crypto.verifyTOTPCode(secret, "123456");
Hash Functions
Data Hashing
// SHA-256 hash
String hash = crypto.sha256("data to hash");
// SHA-512 hash
String hash = crypto.sha512("data to hash");
// MD5 hash (not recommended for security)
String hash = crypto.md5("data to hash");
File Hashing
// Hash file
File file = new File("data.txt");
String hash = crypto.sha256File(file);
Key Derivation
PBKDF2 Key Derivation
// Derive key from password
String password = "myPassword";
byte[] salt = crypto.generateRandomBytes(16);
byte[] key = crypto.deriveKey(password, salt, 10000, 256);
HMAC
// HMAC-SHA256
String hmac = crypto.hmac256("key", "message");
// HMAC-SHA512
String hmac = crypto.hmac512("key", "message");
Security Utilities
Secure String Handling
// Create secure string (erases from memory when done)
try (SecureString secure = new SecureString("sensitive data")) {
// Use secure string
char[] chars = secure.getChars();
// Process data...
} // Secure string is automatically erased
Password Validation
// Validate password strength
PasswordStrength strength = crypto.validatePassword("password123");
if (strength.isStrong()) {
// Password is strong
} else {
// Check requirements
if (!strength.hasMinLength()) {
// Password too short
}
if (!strength.hasUppercase()) {
// Missing uppercase letter
}
if (!strength.hasNumbers()) {
// Missing numbers
}
}
// Generate strong password
String strongPassword = crypto.generateStrongPassword(16);
Token Generation
JWT Tokens
// Generate JWT token
String token = crypto.generateJWTToken(
Map.of("user", "username", "exp", System.currentTimeMillis() + 3600000)
);
// Verify JWT token
boolean valid = crypto.verifyJWTToken(token);
// Decode JWT token
Map<String, Object> claims = crypto.decodeJWTToken(token);
API Tokens
// Generate API token
String token = crypto.generateApiToken();
// Verify API token
boolean valid = crypto.verifyApiToken(token);
Best Practices
Password Storage
// Always use bcrypt for passwords
String hashed = crypto.hashPassword(password);
// Never store plaintext passwords
// Never use MD5 or SHA-1 for passwords
// Use appropriate work factor
int costFactor = 12; // Default, good balance
int highSecurity = 14; // For admin accounts
int lowSecurity = 10; // For test environments
Data Encryption
// Use AES-256 for data encryption
String encrypted = crypto.encrypt(sensitiveData);
// Store encryption key securely
// Never hardcode keys in source code
// Use environment variables or key management systems
// Rotate keys periodically
Random Generation
// Use cryptographically secure random
String random = crypto.generateRandomString(32);
// Never use Math.random() for security
// Never use java.util.Random for security
// Generate sufficient length
// Minimum 16 bytes for tokens
// Minimum 32 bytes for API keys
Security Considerations
Performance
Hash Performance
// Bcrypt cost factors and approximate times
// Cost 4: ~10ms
// Cost 8: ~50ms
// Cost 12: ~300ms (recommended)
// Cost 14: ~1.2s (high security)
// Cost 16: ~4.8s (very high security)
// For production use
int costFactor = 12; // Good balance of security and speed
Async Operations
// Async password hashing
CompletableFuture<String> future = crypto.hashPasswordAsync(password);
future.thenAccept(hashed -> {
// Use hashed password
}).exceptionally(throwable -> {
// Handle error
return null;
});
Next Steps
Events API
Event system for authentication events.

