-10

When comparing the two encrypted password an extra bit d5 gets added to the string.

We encrypted the password with sha512 +salt and then compare it with the sha512+salt value stored in database.

But we get a password mismatch. When we checked the log we saw an extra d5 in the append which is not present in salt.

This is the output while using console.

project restful running in port 8000
Value stored in database:

6b5fff62ffe04a51(salt)

(Sha512+salt) appended value
9c01b4079a2d3e24b20ea9d447178f7d68ad41b2b09428d28d822e790d4534c085de326eee7d124ae42781960ba81dc4e37710ac14fd435fede650d0b75735


{ salt: '6b5fff62ffe04a51',(salt)
  passwordhash:(sha512+salt appended value)

'9c01b4079a2d3e24b20ea9d447178f7d68ad41b2b09428d28d822e790d4534c085de326eee7d124ae42781960ba81dc4e37710ac14fd435fede650d0b75735d5' }

An extra d5 is present when we append it which is causing the error.

/*
 creating a restfull service
*/

var crypto = require('crypto');
var uuid = require('uuid');
var express = require('express');
var mysql = require('mysql');
var bodyparser = require('body-parser');

//connect to my sql

var con = mysql.createConnection({
    host:"localhost",
    user:"root",
    password:'',
    database:"e-shopiee",
});

//creating password encryption

var genrandomstring = function(length) {
    return crypto.randomBytes(Math.ceil(length/2))
        .toString('hex')
        .slice(0,length);
};

//securing with sha512

var sha512 = function (password, salt) {
    var hash = crypto.createHmac('sha512', salt);
    hash.update(password);
    var value = hash.digest('hex');
    return {
        salt:salt,
        passwordhash:value
    };
};

//get random string to salt

function salthashpassword(userPassword){
    var salt = genrandomstring(16);
    var passwordData = sha512(userPassword, salt);
    return passwordData;
}

//user password generating hashed password

function checkHashpassword(userPassword, salt) {

   var passwordData = sha512(userPassword, salt);
    return passwordData;
}


//accept json params
var app=express();
app.use(bodyparser.json());
//accept encoded url params
app.use(bodyparser.urlencoded({extended : true}));

app.post('/register/',(req,res,next)=>{

    //get post params
    var post_data = req.body;
    //get uuid v4
    var uid = uuid.v4();
    //get password from parms
    var plain_password = post_data.password;
    //get hash parms
    var hash_data = salthashpassword(plain_password);
    var password = hash_data.passwordhash;
    var salt = hash_data.salt;

    var name = post_data.name;
    var email = post_data.email;

    con.query('SELECT * FROM users where email =?',[email],function (err,result,fields) {
        con.on('error',function (err) {
            console.log('[MySQL ERROR]',err);
        });
        if (result && result.length)
            res.json('user already exist');
        else {
            con.query('INSERT INTO `users`( `unique_id`, `name`, `email`, `password`, `salt`, `created_at`, `updated_at`) ' +
                'VALUES (?,?,?,?,?,NOW(),NOW())',[uid,name,email,password,salt],function (err,result,fields) {
                con.on('error',function (err) {
                    console.log('[MySQL ERROR]', err);
                    res.json('Register error: ',err);
                });
                res.json('Register successful');
                console.log(password);
            })
        }
    });
})

app.post('/login/',(req,res,next)=>{

    var post_data =  req.body;

    //extract email and password from reqst
    var user_password = post_data.password;
    var email = post_data.email;

    con.query('SELECT * FROM users where email=?',[email],function (error,result,fields){

        con.on('error',function (err) {
            console.log('[MySQL ERROR]',err);
        });

        if (result && result.length){

            //get salt of result if account exist
            var salt = result[0].salt;
            console.log(salt);
            var password = result[0].password;
            //hashed password from login req
            var  hashed_password = checkHashpassword(user_password,salt).passwordhash;

            console.log(password);
            console.log(hashed_password);

            //if password true return all info
            if(password == hashed_password)
                res.end(JSON.stringify(result[0]))
            else
                res.end(JSON.stringify('Wrong password'));
        }

        else {
            res.json('user not exist');
        }
    });
})
//starting services
app.listen(8000,()=>{
    console.log('project restful running in port 8000');

})
Tm Ananthakrishnan
  • 1
  • 2
  • 1) For better help sooner, [edit] to add a [MCVE] or [Short, Self Contained, Correct Example](http://www.sscce.org/). 2) Don't post pictures of text. Post the **text itself!** – Andrew Thompson Feb 04 '19 at 05:10
  • Here is another [**Help Center**](https://stackoverflow.com/help) article you should read: [How do I ask a good question?](https://stackoverflow.com/help/how-to-ask) – Andreas Feb 04 '19 at 05:10
  • Thank you i will try better. Its my first time im asking in this forum. Thank you for the tips :) – Tm Ananthakrishnan Feb 04 '19 at 06:05
  • 1
    @TmAnanthakrishnan This is not a forum, and you need to post your code. We have no way of knowing how you are generating these `String`(s). Obvious solution, take the `substring(0, string.length - 2)`. – Elliott Frisch Feb 04 '19 at 06:29
  • I have added the code and thank you :) – Tm Ananthakrishnan Feb 04 '19 at 07:58

1 Answers1

3

You cannot decrypt sha512 with salt. That (sha512) is not a reversible transform1. And a salt makes it "immune" to a rainbow table2.

1 Why are hash functions one way? If I know the algorithm, why can't I calculate the input from it?
2 How does password salt help against a rainbow table attack?

Elliott Frisch
  • 198,278
  • 20
  • 158
  • 249
  • Sorry my question was wrong. I have corrected it :) .The problem i have is during compairing them from db and the one entered by the user. Thank you :) – Tm Ananthakrishnan Feb 04 '19 at 06:07