-2

NO. THAT SUGGESTION DOES NOT ANSWER THIS AT ALL. SEE CORRECT ANSWER BELOW.

I am building an application whereby I want a user to enter a password into a browser, which is sent via my server to another device running Python. The password then needs to be validated by the device running Python.

The problem is, I dont want my server handling passwords in any way. So I figured I could hash the password in the browser before it is sent, have the server pass on the hash to the device, then check the hash is equivalent on the Python side.

Python has a built-in library for this purpose, but it seems javascript does not. I thought I could leverage a public javascript library, but when I compare the results from the javascript SHA256 algorithm here to what the SHA256 function in Python produces it is not the same string of characters.

Is there a cross code hash function (or any other solution) I can use?

An Update

In response to a "gee whiz, this question is the same as all these ones" let me clarify. This is not about a strategy for storing passwords or finding a 'trustworthy' library (like the post suggested). There is NOT any discussion about cross code compatibility of SHA2 on this site. I could not even find a discussion that pointed out that different SHA2 implementations SHOULD produce the same result. I did plenty of research. In fact it was the various discussions about different javascript "implementations" of SHA2 that confused me. I actually tested a scenario myself, which further confused me as the website picked up a carriage return and produced a different hash. (see below)

This is about having a function in TWO languages that produces the same output...on different devices. I think it is actually an unusual application of hashing, as generally the same code layer is used to hash, store and compare hashed values.

In the rush to down-vote the question and establish mental superiority it seems to me the question was not read properly and incorrect assumptions were made. Hopefully contributors to this site will in future take a more considered and helpful approach like the successful answer.

The link for the javascript library I provided produced the following hash for the text 'MyPassword'

5e618e009fe35ea092150ad1f2c24e3181b4cf6693dc7bbd9a09ea9c8144720d

If I use the sha256 function from Python I get the result below, which seems to indicate to me that not all SHA256 functions are equal and produce the same result.

Python Result

Lee Melbourne
  • 407
  • 5
  • 20
  • instantly -1 on the post. What the???? – Lee Melbourne Jun 14 '18 at 05:57
  • 1
    that's probably just a problem of *encoding* of the result, or a slight difference in input, because de SHA256 algorithm is pretty precise and should not change from one implementation to another – Pac0 Jun 14 '18 at 05:57
  • 1
    I'm not the downvoter, but password checking seems a pretty standard topic to do research on. Moreover, you don't provide any of the code that is suppose to give a diferent result. please consider adding a [mcve] to your question. – Pac0 Jun 14 '18 at 05:58
  • also, just using SHA256 hash is not a good way of storing passwords. It has bad consequences if your db is ever compromised (your user's passwords could be attacked with a rainbow table easily). You should use a longer algorithm, and use salt on your password. have a look at bcrypt libraries. – Pac0 Jun 14 '18 at 06:03
  • @LeeMelbourne It might feel harsh getting the down-votes, but the number of times these things are asked are pretty staggering. And to everyone on here this feels like the only way to get people to feel that maybe they should do more research before asking these things. WebCryptoAPI has a digest/hash function: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest and there's external libs as well: https://stackoverflow.com/questions/18338890/are-there-any-sha-256-javascript-implementations-that-are-generally-considered-t. Both get the same result as Python (I use them) – Torxed Jun 14 '18 at 07:25
  • Thank you @torxed That is useful information. However the link to the question you provided does not address cross code compatibility. It merely talks about different implementations of SHA256 in javascript. Furthermore, the fact that there is a legthy discussion of the different implementations implies there ARE potentially different outputs. Unless you can see something wrong with my comparison test, I think that test confirms it. – Lee Melbourne Jun 14 '18 at 11:15
  • 1
    @LeeMelbourne I will further demonstrate why my exact links prove you wrong in this instance: https://imgur.com/a/UW17ZIF - A identical piece of code taken from the first link (dev.moz.org), the second image - https://imgur.com/a/kmaZbql - is a two-liner Python script hashing the same text `moo` and comes to the exact same conclusion. I'm sorry, but I think you're fishing in the wrong pond here. The implementations **are** "cross platform" already. And if you use the the [example](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest#Example) it **will work**. – Torxed Jun 14 '18 at 12:35
  • 1
    Clarification: You're probably witnessing (as @Pac0 mentioned) a malformed representation of the actual hash. Since the hash comes out in binary form, it needs to be transformed into a readable representation. This is usually done by parsing binary to hex representation. There are numerous stages where padding or encoding could get messed up. But the standard libraries for these things **are cross platform** (I hate that word, because hashing is platform independent by nature, it's a math operation). – Torxed Jun 14 '18 at 12:40
  • 1
    Regarding your *"The link for the javascript library I provided produces the following hash for the text 'MyPassword'" : 5e618e009fe35ea092150ad1f2c24e3181b4cf6693dc7bbd9a09ea9c8144720d* I don't know how you used your library, but the correct SHA256 hash of MyPassword string is the same as you showed for Python, you can check on this site : https://passwordsgenerator.net/sha256-hash-generator/ . You are missing an [mcve] so we can reproduce the discrepancy and help you. – Pac0 Jun 14 '18 at 14:21

1 Answers1

2

All proper implementations of SHA256 (or any hash/encryption) produce the same result if supplied with the same data. Your problem is solved by properly processing the data that you supply to the javascript library. The "5e61..." hash is a result of additional newline appended to the end of the "MyPassword" string, look:

In [1]: import hashlib

In [2]: hashlib.sha256(b'MyPassword').hexdigest()
Out[2]: 'dc1e7c03e162397b355b6f1c895dfdf3790d98c10b920c55e91272b8eecada2a'

In [3]: hashlib.sha256(b'MyPassword\n').hexdigest()
Out[3]: '5e618e009fe35ea092150ad1f2c24e3181b4cf6693dc7bbd9a09ea9c8144720d'

For the future, popular implementations of hashes and cryptographic algorithms are thoroughly tested, and if the answer seems wrong - it's probably because your data is wrong.

Andrew Morozko
  • 2,576
  • 16
  • 16
  • That was indeed the exact "typo" or discrepancy between inputs I was thinking about. The additional endline character `\n` is often a source of trouble difficult to catch. I wanted to *make* OP realize that by actually asking him to give some his code that led him to the different result, too bad it did not by himself. Good catch anyway ! – Pac0 Jun 14 '18 at 22:48
  • Jthank you @MOROZILnic. That is a very helpful response. Much more helpful than the aggressive downvoting "im right, you are wrong" nonsense in the comments. Many developers spend their life in code and unfortunately develop this binary mentality. – Lee Melbourne Jun 14 '18 at 22:49
  • @pac0 I think you will find the newline came from a carraige return in the webpage that demonstrates the SHA2 javascript implementation...not so easy to detect. Encryption is a complex area. Talk of "different implementations" of an algorithm confuse the issue. I think assumptions were hastily made about the origonal post without reading it properly. Find a discussion of cross code compatibility of hash functions on this site and i will eat my words. – Lee Melbourne Jun 14 '18 at 22:56
  • 1
    @LeeMelbourne I completely agree that it was not easy to catch. But actually, this problem of newline is the top 1 cause I witnessed for hash discrepency. And I hope you will find that trying to put effort on describing exactly the steps needed to reproduce do help a lot too. – Pac0 Jun 14 '18 at 23:18