6

I am trying to use finger printing on my client side and got hold of this code as part of a bigger code.

function checksum(str) {
    var hash = 5382,
        i = str.length;

    while (i--) hash = (hash * 33) ^ str.charCodeAt(i);

    return hash >>> 0;
}

As you can see the hash is in plain sight. Can you please show me how or what implementation to use so I can hide or anything that can mask the hash = 5382. Thank you.

stack questions
  • 862
  • 2
  • 15
  • 29
  • 3
    You can only obfuscate it, not really "hide it" – haim770 Oct 18 '17 at 10:52
  • You can use `CryptoJS`: https://stackoverflow.com/questions/18279141/javascript-string-encryption-and-decryption – Mihai Alexandru-Ionut Oct 18 '17 at 10:53
  • You need an asymmetric algorithm like [RSA](http://www.ohdave.com/rsa/). – ceving Oct 18 '17 at 10:59
  • What do you mean by "hide"? Nothing can be hidden to the client (assume all clients are malicious). What is your attack vector? – tyteen4a03 Oct 18 '17 at 11:38
  • Anything that can hide or mask the 'hash number = 5832.' Ex. when a client uses the 'sources' tab they will be able to see the javascript but they still won't be able to see the 'hash number = 5832'. It is also good if you can hide the whole javascript code itself. – stack questions Oct 19 '17 at 04:52
  • Thanks for the link for the Crypto.. It's really great but still my question is, how do I hide the "Message" and "Secret Passphrase" when it can be seen on the javascript as soon as the client sees the source tab? – stack questions Oct 19 '17 at 07:13
  • 1
    Please don't bother doing it... – Endless Oct 19 '17 at 19:51
  • 1
    Take this calculation to server, after all javascript is a client side language for browsers. – Touqeer Shafi Oct 20 '17 at 10:46

1 Answers1

0

If you encode it with base64, but anyone can decode it easily. How sensitive is your hash?

str = "The quick brown fox jumps over the lazy dog";
b64 = btoa(unescape(encodeURIComponent(str)));
str = decodeURIComponent(escape(window.atob(b64)));

The output will be VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZw==

If you are using PHP you would just base64_encode() and base64_decode() to handle. You can make for example a input hidden with encoded value and then just get it's val and use the last line i gave you.

Base64 PHP http://php.net/manual/en/function.base64-encode.php and base64 JAVASCRIPT https://developer.mozilla.org/pt-BR/docs/Web/API/WindowBase64/atob . Or you could encrypt it's contents then uncrypt it server side. Heres a little class to encrypt/decrypt data (PHP):

<?php
namespace Company\Security;

/*
 *   @description: Simple class to wrap crypt function calls
 *   @author: Marco A. Simao
 */

class Crypto {

/*
 * returns encrypted data with iv appended at the begining of the string 
 */
public static function encrypt($data, $key)
{
    $iv = openssl_random_pseudo_bytes(16);

    $c = openssl_encrypt($data, 'AES-128-CBC', $key, OPENSSL_RAW_DATA, $iv);

    return $iv . $c;
}

/*
 * returns decrypted data. Expects 16 first bytes of data to be iv table.
 */
public static function decrypt($data, $key)
{
    return openssl_decrypt(substr($data, 16), 'AES-128-CBC', $key, OPENSSL_RAW_DATA, substr($data, 0, 16));
}
}

And you would need a decrypt in Javascript like: How to use the Web Crypto API to decrypt a file created with OpenSSL?

Marco
  • 2,757
  • 1
  • 19
  • 24
  • This seems good. Can you show me a sample implementation of it? – stack questions Oct 19 '17 at 04:53
  • 1
    @stackquestions -- Please remember that this is not secure, any client can rewrite the script themselves and see the result. If your goal is to hide the string from cursory inspection from casual eyes, that's fine, but it won't provide any "real" security. – John Weisz Oct 20 '17 at 10:55
  • Yes, thanks for pointing out, I forgot to tell him, but I asked how sensitive it was :) – Marco Oct 20 '17 at 11:24
  • Can you please show me or just point a topic to me so I can study it. Thank you. – stack questions Oct 21 '17 at 07:23