0

I am beginner in nodejs. I have already implemented encryption and decryption through sha1 and using in asp.net projects. Now we started new project in node and angular. Here i need same login mechanism including encryption and decryption using sha1.

Here is my workable code:

Dependent variable must need for me

        static string passPhrase = "Paaaa5p***";
        static string saltValue = "s@1t***lue";
        static string hashAlgorithm = "SHA1";
        static int passwordIterations = 2;
        static string initVector = "@1B2c3D4e5F6****";
        static int keySize = 256;

Encryption method to encrypt password or any text.

public static string EncryptText(string text)
        {

            byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
            byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue);

            byte[] plainTextBytes = Encoding.UTF8.GetBytes(text);

            PasswordDeriveBytes password = new PasswordDeriveBytes(
                                                            passPhrase,
                                                            saltValueBytes,
                                                            hashAlgorithm,
                                                            passwordIterations);

            byte[] keyBytes = password.GetBytes(keySize / 8);


            RijndaelManaged symmetricKey = new RijndaelManaged();


            symmetricKey.Mode = CipherMode.CBC;


            ICryptoTransform encryptor = symmetricKey.CreateEncryptor(
                                                             keyBytes,
                                                             initVectorBytes);


            MemoryStream memoryStream = new MemoryStream();


            CryptoStream cryptoStream = new CryptoStream(memoryStream,
                                                         encryptor,
                                                         CryptoStreamMode.Write);

            cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);


            cryptoStream.FlushFinalBlock();


            byte[] cipherTextBytes = memoryStream.ToArray();


            memoryStream.Close();
            cryptoStream.Close();


            string decryptText = Convert.ToBase64String(cipherTextBytes);


            return decryptText;
        }

Decryption method to encrypt password or any text.

    public static string DecryptText(string encryptText)
    {

        byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
        byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
        byte[] cipherTextBytes = Convert.FromBase64String(encryptText);

        PasswordDeriveBytes password = new PasswordDeriveBytes(
                                                        passPhrase,
                                                        saltValueBytes,
                                                        hashAlgorithm,
                                                        passwordIterations);

        byte[] keyBytes = password.GetBytes(keySize / 8);

        RijndaelManaged symmetricKey = new RijndaelManaged();

        symmetricKey.Mode = CipherMode.CBC;


        ICryptoTransform decryptor = symmetricKey.CreateDecryptor(
                                                         keyBytes,
                                                         initVectorBytes);

        MemoryStream memoryStream = new MemoryStream(cipherTextBytes);


        CryptoStream cryptoStream = new CryptoStream(memoryStream,
                                                      decryptor,
                                                      CryptoStreamMode.Read);


        byte[] plainTextBytes = new byte[cipherTextBytes.Length];


        int decryptedByteCount = cryptoStream.Read(plainTextBytes,
                                                   0,
                                                   plainTextBytes.Length);


        memoryStream.Close();
        cryptoStream.Close();


        string text = Encoding.UTF8.GetString(plainTextBytes,
                                                   0,
                                                   decryptedByteCount);


        return text;

    }
Majedur
  • 3,074
  • 1
  • 30
  • 43
  • The hash functions cannot encrypt/ Decrypt. What you trying is deriving a key from a password by using a hash function in [PasswordDeriveBytes](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.passwordderivebytes?view=netframework-4.8). It uses an extension of PBKDF1. – kelalaka Oct 19 '19 at 08:10
  • Your aim and your code are confusing. You are using PasswordDeriveBytes to derive a key to use in RijndaelManaged. It is a symmetric algorithm that was the winner of the AES competition. Note that AES !=Rijndael. What you use is a very old library. For storing passwords, we are not encrypting them, we hash them with salt. The better you use standards for password hash like PBKF2, Bcrypt, Scrypt and better the new winner Argon2. – kelalaka Oct 19 '19 at 15:10

1 Answers1

1

SHA1 is hash function. It's no way to get original data from hash (except collisions).

Your problem is not a hash, it's encrypt/decrypt algorithm. Try to use js-crypto-pbkdf from NPM.

Volodymyr Sichka
  • 531
  • 4
  • 10
  • Actually, the OP is confusing the terms. In OP's code the SHA1 is used in PasswordDeriveBytes then RijndaelManaged(). That is a very old library and not exactly AES. Also, passwords are not encrypted they are hashed at least with salt. – kelalaka Oct 19 '19 at 15:05
  • But I need exact same result because it's the encrypted result stored in database and i have to match with this. @kelalaka – Majedur Oct 20 '19 at 03:13
  • We hash the passwords with a good [password hashing](https://security.stackexchange.com/q/211/86735) algorithms. While hashing we add salt to mitigate from Rainbow Tables. When the user tries to log in, you get the password use the password hashing algorithm with the user's salt and compare the result. Encrypting the passwords is [unsafe](https://stackoverflow.com/a/326706/1820553). Or search for 'encrypting passwords' – kelalaka Oct 20 '19 at 06:07