I'm quite new to NodeJs and trying to figure out how to use the "crypto" module. While playing around with it I notice the difference between the "crypto" module in NodeJs and crypto-js:
With crypto-js, I have:
function SHA256Hash(password, salt, iteration) {
var saltedpassword = salt + password;
var sha256 = CryptoJS.algo.SHA256.create();
for(var i = 0; i < iteration; i++) {
alert("saltedpassword = " + saltedpassword);
sha256.update(saltedpassword);
var saltedpassword = sha256.finalize();
sha256.reset();
}
return saltedpassword.toString(CryptoJS.enc.Base64);
}
Then call :
var hashedPassword = SHA256Hash("123456789", "ASIN", 3)
And receive :
saltedpassword = ASIN123456789
saltedpassword = 3362d80b757d14bfe18c01f6a003ed38a3a4a3dcab0417efb457b71740e21411
saltedpassword = 6020c992a9b7cd3ca9e95b9a3e21b64911edb7983b3dd77bdcecda19f2756987
With "crypto" module, I wrote:
function SHA256Hash(password, salt, iteration) {
var saltedpassword = salt + password;
for(var i = 0; i < iteration-1; i++) {
console.log("saltedpassword = "+saltedpassword)
var sha256 = crypto.createHash('sha256');
sha256.update(saltedpassword);
var saltedpassword = sha256.digest('hex');
}
console.log("saltedpassword = "+saltedpassword)
var sha256 = crypto.createHash('sha256');
sha256.update(saltedpassword);
return sha256.digest('base64');
}
Then call:
var hashedPassword = SHA256Hash("123456789", "ASIN", 3);
And receive:
saltedpassword = ASIN123456789
saltedpassword = 3362d80b757d14bfe18c01f6a003ed38a3a4a3dcab0417efb457b71740e21411
saltedpassword = 4795d40ae8ae797f0ce51dfe4b496bca68f6d1f4a264f4ca52348ddd65a2988d
The first two items are the same but the third item is different. Did I miss out something ?
Edited: As I pare to the Jasypt, CryptoJs generates similar keys. My question is how to tune "crypto" module to make it generate the same keys as CryptoJS and Jasypt do.
I'm quite new to NodeJs and trying to figure out how to use the "crypto" module. While playing around with it I notice the difference between the "crypto" module in NodeJs and crypto-js:
With crypto-js, I have:
function SHA256Hash(password, salt, iteration) {
var saltedpassword = salt + password;
var sha256 = CryptoJS.algo.SHA256.create();
for(var i = 0; i < iteration; i++) {
alert("saltedpassword = " + saltedpassword);
sha256.update(saltedpassword);
var saltedpassword = sha256.finalize();
sha256.reset();
}
return saltedpassword.toString(CryptoJS.enc.Base64);
}
Then call :
var hashedPassword = SHA256Hash("123456789", "ASIN", 3)
And receive :
saltedpassword = ASIN123456789
saltedpassword = 3362d80b757d14bfe18c01f6a003ed38a3a4a3dcab0417efb457b71740e21411
saltedpassword = 6020c992a9b7cd3ca9e95b9a3e21b64911edb7983b3dd77bdcecda19f2756987
With "crypto" module, I wrote:
function SHA256Hash(password, salt, iteration) {
var saltedpassword = salt + password;
for(var i = 0; i < iteration-1; i++) {
console.log("saltedpassword = "+saltedpassword)
var sha256 = crypto.createHash('sha256');
sha256.update(saltedpassword);
var saltedpassword = sha256.digest('hex');
}
console.log("saltedpassword = "+saltedpassword)
var sha256 = crypto.createHash('sha256');
sha256.update(saltedpassword);
return sha256.digest('base64');
}
Then call:
var hashedPassword = SHA256Hash("123456789", "ASIN", 3);
And receive:
saltedpassword = ASIN123456789
saltedpassword = 3362d80b757d14bfe18c01f6a003ed38a3a4a3dcab0417efb457b71740e21411
saltedpassword = 4795d40ae8ae797f0ce51dfe4b496bca68f6d1f4a264f4ca52348ddd65a2988d
The first two items are the same but the third item is different. Did I miss out something ?
Edited: As I pare to the Jasypt, CryptoJs generates similar keys. My question is how to tune "crypto" module to make it generate the same keys as CryptoJS and Jasypt do.
Share Improve this question edited Jun 8, 2017 at 8:57 Mono asked Dec 13, 2012 at 7:35 MonoMono 1111 gold badge1 silver badge5 bronze badges 1-
Just as a side node about the terminology. SHA256 as well as any other hashing algorithm is not encryption.
SHA256Encryptis therefore a confusing name. I know this is an old question but people like me still managed to find our way here. – quinz Commented Jun 7, 2017 at 8:34
4 Answers
Reset to default 3Apparently I can't add ments to freakish's answer, so I'll write it here instead:
reset() works fine. The significant difference is you're converting the hash output to a hex string within the iteration loop.
In the cryptojs example, finalize() returns raw binary data. In the crypto module example, digest() is returning a hex string. That difference in output means a difference in input when you iteratively re-hash.
I've done some tests and apparently this reset function ( in crypto-js ) messes up. I'm not sure what it does and I don't have enough patience to look for an issue. :) However, here's the working solution:
function SHA256Encrypt(password, salt, iteration) {
var saltedpassword = salt + password;
for(var i = 0; i < iteration-1; i++) {
alert("saltedpassword = " + saltedpassword);
saltedpassword = CryptoJS.SHA256( saltedpassword ).toString( CryptoJS.enc.Hex );
}
saltedpassword = CryptoJS.SHA256( saltedpassword );
return saltedpassword.toString(CryptoJS.enc.Base64);
}
which makes both codes even more similar, which is good.
Use PKDF2 instead!
Why are you not using the built-in PBKDF2 from node-crypto:
var hashedpw = crypto.pbkdf2Sync(password, salt, iterations, keysize);
and crypto-js:
var hashedpw = CryptoJS.PBKDF2(
password,
salt,
{ keySize: keysize/32, iterations: iterations }
);
Not only is it more secure than what you're trying to do by being much more expensive to pute than repeated hashing, it's also a lot easier to implement.