My co-worker has a database that stores account information; an account's SHA256 hashed password and salt value are stored in columns as raw binary data (blobs).
The password is hashed in PHP using this (true indicates raw output):
hash("sha256", $salt . $password, true);
I'm trying to implement authentication on a Node.js server that has to get back the same hashed password that's stored in the database from PHP, this doesn't seem to work:
/**
* Validates a password sent by an end user by paring it to the
* hashed password stored in the database. Uses the Node.js crypto library.
*
* @param password The password sent by the end user.
* @param dbPassword The hashed password stored in the database.
* @param dbSalt The encryption salt stored in the database.
*/
function validatePassword(password, dbPassword, dbSalt) {
// Should the dbSalt be a Buffer, hex, base64, or what?
var hmac = crypto.createHmac("SHA256", dbSalt);
var hashed = hmac.update(password).digest('base64');
console.log("Hashed user password: " + hashed);
console.log("Database password: " + dbPassword.toString('base64'));
return hashed === dbPassword;
}
My co-worker has a database that stores account information; an account's SHA256 hashed password and salt value are stored in columns as raw binary data (blobs).
The password is hashed in PHP using this (true indicates raw output):
hash("sha256", $salt . $password, true);
I'm trying to implement authentication on a Node.js server that has to get back the same hashed password that's stored in the database from PHP, this doesn't seem to work:
/**
* Validates a password sent by an end user by paring it to the
* hashed password stored in the database. Uses the Node.js crypto library.
*
* @param password The password sent by the end user.
* @param dbPassword The hashed password stored in the database.
* @param dbSalt The encryption salt stored in the database.
*/
function validatePassword(password, dbPassword, dbSalt) {
// Should the dbSalt be a Buffer, hex, base64, or what?
var hmac = crypto.createHmac("SHA256", dbSalt);
var hashed = hmac.update(password).digest('base64');
console.log("Hashed user password: " + hashed);
console.log("Database password: " + dbPassword.toString('base64'));
return hashed === dbPassword;
}
With a lot of experimentation, I found a solution.
/**
* Encrypts a password using sha256 and a salt value.
*
* @param password The password to hash.
* @param salt The salt value to hash with.
*/
function SHA256Encrypt(password, salt) {
var saltedpassword = salt + password;
var sha256 = crypto.createHash('sha256');
sha256.update(saltedpassword);
return sha256.digest('base64');
}
/**
* Validates a password sent by an end user by paring it to the
* hashed password stored in the database.
*
* @param password The password sent by the end user.
* @param dbPassword The hashed password stored in the database, encoded in Base64.
* @param dbSalt The encryption salt stored in the database. This should be a raw blob.
*/
function validatePassword(password, dbPassword, dbSalt) {
var hashed = SHA256Encrypt(password, dbSalt.toString('binary'));
return hashed === dbPassword;
}
Thanks to TravisO, though, he put me on the right path.
crypto.createHash()
http://nodejs/docs/v0.6.18/api/crypto.html#crypto_crypto_createhash_algorithm
Just make absolutely sure you use exactly the same hashing type, and salt.