6

We are using Crypto JS SHA3 to hash our username and password together.

The function takes the inputs from two html input fields for the username and password, concatenates them with the salt, and hashes them. The first hash works successfully, however hashing the same output again yields a different result.

This is the relevant code:

$prehash = $salt + $user + $pass;

$prehash = CryptoJS.enc.Utf8.parse($prehash);
var sha3 = CryptoJS.algo.SHA3.create();
sha3.update($prehash);
var password  = sha3.finalize().toString(CryptoJS.enc.Hex);
sha3.reset();

var sha3 = CryptoJS.algo.SHA3.create();
sha3.update($prehash);
var password2  = sha3.finalize().toString(CryptoJS.enc.Hex);
sha3.reset();

console.log('PREHASH: ' + $prehash);

console.log('HASHWORD: ' + password);

console.log('HASHWORD2: ' + password2);

The console logs output the following:

PREHASH:  4d616e636865737465722c20436f6e6e65637469637574204d6f62696c65205573657273546f776e20436c65726b68617665206272616e6368657320616476616e63652042656c6769756d

HASHWORD: db90cbb6766f3ca0dc8af39455cd6e224263db31caed3f73f9ad923a02c34211c85cc17a8e3d0166cd82c10d12a137332891c0c201174e16d19a93b6b4d430cf

HASHWORD2:
9ed635963fa0079a0520d8afa59d1e19be601d7bf77f623702304240993ce9bdd2f3023ca6bbd44f2ab30ceb2de1c8f0d3fe3d63292c5a23c44ddd1d485baa71

EDIT: We have tested on two other devices, and have found that we get the correct output on the other two devices. This behavior is only observed on my coworkers phone. Now we are more confused. Does anybody see why a different device would produce different output?

EDIT: Here is a jsfiddle that demonstrates the problem. It should read true & true. On our android 4.2.2 device it reads false & false http://jsfiddle.net/odL57wfo/2/

user1044220
  • 269
  • 1
  • 7
  • 21
DrS
  • 342
  • 1
  • 3
  • 15
  • Not sure if it will resolve your issue, but couldn't this code be simplified to `var password = CryptoJS.SHA3($prehash);`? According to the docs `"When you use a WordArray object in a string context, it's automatically converted to a hex string"`. So if you're only wanting the hash as a hex, then there's really no need to explicitly convert it to a string. – Patrick Q Mar 19 '14 at 17:39
  • @PatrickQ thats how it was originally, we did that just to lift the veil somewhat and be sure we knew exactly what was happening as are still so baffled as to why this is happening. – DrS Mar 19 '14 at 17:46
  • [See this jsfiddle](http://jsfiddle.net/4wGM2/1/) I'm getting the same hash logged each time. – Patrick Q Mar 19 '14 at 17:51
  • same as @PatrickQ: I could not reproduce, what's your environment ? – Julien Ch. Mar 19 '14 at 18:04
  • What's the user-agent for the case where it's not working? – Patrick Q Mar 19 '14 at 18:13
  • @PatrickQ his User agent string is: Mozilla/5.0(Linux; U; Android 4.2.2; en-us; HTC6435LVW 4G Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 – DrS Mar 19 '14 at 18:18
  • I use CryptoJS at the front end of my applications and have done for some time .. I also have not been able to reproduce except when I don't trim() the input fields coming from the HTML input form ... perhaps thats where an errant/extra "space" is leaking in? – A_nobody Nov 22 '14 at 11:59
  • We are getting the exact same problem, did you find a solution? – user1044220 Aug 10 '15 at 13:14
  • @user1044220 Seems like a bug in some JavaScript engine. Which user agent do you use? Do you really see different outputs [here](http://jsfiddle.net/artjomb/eudwrz3j/)? – Artjom B. Aug 10 '15 at 14:20
  • Yes, just ran your test get 2 different values, first one correct second false. This is on android 4.2.2 – user1044220 Aug 10 '15 at 15:02
  • The issue appears to be when trying to hash long strings, short strings work. It doesn't appear to be hashing the hash that is causing the problem perseu, it's just because it's a long string – user1044220 Aug 10 '15 at 15:03
  • Are you sure the crypto function is not auto-applying salt, thus making the output different? – Swiffy Aug 11 '15 at 11:21
  • On Android 4.4. it works just fine. Try another browser on that phone? – iCollect.it Ltd Aug 13 '15 at 11:43
  • Yes this is my point TrueBlueAussie, it is specific to android web view on android 4.2. We are sure it is not auto applying salt – user1044220 Aug 18 '15 at 11:25

1 Answers1

1

We were unable to find a solution to this problem so we have opened a bug on the crypto-js project and in the mean time we are using a different hashing algorithm

user1044220
  • 269
  • 1
  • 7
  • 21