4

I'm trying to convert a c# program into javascript. The purpose is to validate a clear text password against its sha-256 hash stored in a database. This code will be executed server-side.

The c# program was implemented following this MSDN's article How to Hash Passwords.

In order to validate my implementation, I was given an example hash for the password "test" with a randomly generated 4 characters long salt .

Here is what I wrote so far :

var unhashedPass = "test";
var originalHashedPass = "F27B595D3CBBC60ACEAC68E4DA6A2629558FEC383E0B81F764E443C68B0E9808096CDF2D";

var saltStringLength = 4;
var unicodeCharLength = 2;
var saltHexLength = unicodeCharLength * saltStringLength;
var saltHex = originalHashedPass.substr(0, saltHexLength);

var strSalt1 = String.fromCharCode(parseInt(saltHex.substr(0, 2), 16).toFixed());
var strSalt2 = String.fromCharCode(parseInt(saltHex.substr(2, 2), 16).toFixed());
var strSalt3 = String.fromCharCode(parseInt(saltHex.substr(4, 2), 16).toFixed());
var strSalt4 = String.fromCharCode(parseInt(saltHex.substr(6, 2), 16).toFixed());

//var strSalt = str2rstr_utf16le(strSalt1 + strSalt2 + strSalt3 + strSalt4);
var strSalt = strSalt1 + strSalt2 + strSalt3 + strSalt4;

var finalHash = saltHex + hex_sha256(strSalt + unhashedPass).toUpperCase();

return (finalHash == originalHashedPass);

This code is one of multiple variants I tried, attempting to transform the hexadecimal salt in a valid string (see commented line for example). None seemed to work.

hex_sha256 and str2rstr_utf16le functions come from this javascript SHA implementation

I assume the c# part I fail to correctly "translate" in javascript is the conversion of the salt into a string.

binarySaltValue[0] = byte.Parse(saltValue.Substring(0, 2), System.Globalization.NumberStyles.HexNumber, CultureInfo.InvariantCulture.NumberFormat);
binarySaltValue[1] = byte.Parse(saltValue.Substring(2, 2), System.Globalization.NumberStyles.HexNumber, CultureInfo.InvariantCulture.NumberFormat);
binarySaltValue[2] = byte.Parse(saltValue.Substring(4, 2), System.Globalization.NumberStyles.HexNumber, CultureInfo.InvariantCulture.NumberFormat);
binarySaltValue[3] = byte.Parse(saltValue.Substring(6, 2), System.Globalization.NumberStyles.HexNumber, CultureInfo.InvariantCulture.NumberFormat);

I noticed that the c# implementation uses array of bytes but I guess I have to use strings in javascript.

I also wonder if my issue has something to do with the fact that the c# program is computing Unicode encoded strings.

Do you have any suggestion ?

EDIT

To clarify my problem : I can't manage to validate in javascript the password "test" against it's SHA256 salted hash "F27B595D3CBBC60ACEAC68E4DA6A2629558FEC383E0B81F764E443C68B0E9808096CDF2D" (calculated earlier in a c# program).

Improve this question
6
  • 1
    Think about what you are proposing for a second. By doing it in Javascript, anybody can push javascript into the page like, alert(unhashedPass) and compromise the security of your application. You will be prone to MITM attacks as well as other javascript injection attacks. Commented Feb 6, 2012 at 15:52
  • var unhashedPass : String is not valid JavaScript. You can't declare explicit variable types. Commented Feb 6, 2012 at 15:55
  • 1
    That will be server-side executed javascript so security won't be an issue. Commented Feb 6, 2012 at 15:57
  • What is the data you're hashing in the end? Is it correct that it are the bytes f2 7b 59 5d 74 65 73 74 (the four salt bytes, plus "test")? It hashes to something else than you have in originalHashedPass (also without the prepended salt in this variable). Commented Feb 6, 2012 at 16:17
  • I'm not sure if I'm following you. The string I'm trying to hash, when salted, looks more like this : "ò{Y]test". I'm not hashing a string containing hexadecimal values (or should I ?). Commented Feb 6, 2012 at 17:03

1 Answer 1

Reset to default
2

Since you're saying this is server side, I'm guessing Node, in which case:

https://github.com/brainfucker/hashlib

If it's something other than node:

https://github.com/h2non/jsHashes

but that will be slower than the first one since it's a pure JS implementation (the first is in C exposed to JS)

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

It is not Node.js but thanks anyway. I'm going to test jsHashes right now (although it seems quite similar to jsSHA2 ... I suspect that my problem comes from the way I translate the hex-encoded salt rather than the hash function itself).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.