What is the fastest hash + salt for IP adresses? (Node.JS)

Question

There are quite many requirements right now about tracking of user information like unique user visits, returning users, etc..

The problem is that in some countries the IP address is considered as sensitive personal information.

So - to keep still unique users on the website, I would like to store hashed IP address in the DB. Of course it should be

Fast (because this transaction is made on each page request)
Salted (So that government can not compain that it is reversible)

Thanks for your advices

Bukso

What's the issue with a member from the SHA family? Plus a salt? What do you mean with "fast"? How slow do you think "regular" hashing algorithms are? — Thomas, Jul 21 '20 at 12:21
There's no difference between hashing an IP address and hashing a password. For performance test results see https://stackoverflow.com/questions/5878682/node-js-hash-string/33618940#33618940, and the rest of that question/answer set might provide you some additional insight. — James, Jul 21 '20 at 12:23
You cannot salt an ip address hash if you want to use it for lookup — Bergi, Jul 21 '20 at 12:27
@Thomas for example for the passwords I am using bcrypt with 10+ salt rounds, it is quite slow. But considering that it is just one-time event, it is not a big deal. IP should be salted so fast, that it does not slow down the server at some point with many requests. — bukso, Jul 21 '20 at 13:26
@Bergi Yeah I know that, I could probably save the country before salting the IP. But right now I just want to hash and salt the ip to unique value — bukso, Jul 21 '20 at 13:29
"*hash and salt the ip to unique value*" makes no sense. Salting means that if you input the same ip multiple times, you will get different results. — Bergi, Jul 21 '20 at 13:33
@Bergi as of my understanding salt is just a value that you can add to your IP address each time, but when the salt is the same for all, you should get the same value — bukso, Jul 21 '20 at 13:40
@bukso A salt is random and different for each value, and stored in the database. If it's the same for all, it's called a pepper. And that doesn't help to make a hash irreversible if it's known. — Bergi, Jul 21 '20 at 13:41
@Bergi Ok thanks for the clarification. So how basically to create and compare if such salted hash exists with salting and less processor effort - possibly directly in a mongodb? — bukso, Jul 21 '20 at 13:46
https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices/at_download/fullReport has all you need to know. Any hashing algorithm that has 32 bit or more output is not sufficient. You need to use either encryption (with a secret not stored in the database), or a deterministic blur (e.g. taking a hash with only 24 bits of information, which causes collisions - slightly incorrect counts - but makes it irreversible enough) — Bergi, Jul 21 '20 at 14:04

score 1 · Accepted Answer · answered Jul 21 '20 at 12:42

There is no perfect hash encryption method. It all depends on your system configurations and settings. For the best result that suits your need, you can run a benchmark test against all hash methods and can evaluate yourself.

The code to run the benchmark is as follows

const Benchmark = require('benchmark');
const suite = new Benchmark.Suite;
const hash = require('crypto').createHash;
const data = 'Delightful remarkably mr on announcing themselves entreaties favourable. About to in so terms voice at. Equal an would is found seems of. The particular friendship one sufficient terminated frequently themselves. It more shed went up is roof if loud case. Delay music in lived noise an. Beyond genius really enough passed is up.';
const scenarios = [
  { alg: 'md5', digest: 'hex' },
  { alg: 'md5', digest: 'base64' },
  { alg: 'sha1', digest: 'hex' },
  { alg: 'sha1', digest: 'base64' },
  { alg: 'sha256', digest: 'hex' },
  { alg: 'sha256', digest: 'base64' }
];
for (const { alg, digest } of scenarios) {
  suite.add(`${alg}-${digest}`, () =>
    hash(alg).update(data).digest(digest)
  );
}
suite.on('cycle', function (event) {
  console.log(String(event.target));
})
  .on('complete', function () {
    console.log('Fastest is ' + this.filter('fastest').map('name'));
  })
  .run();

For more related details you can follow the following blog article

https://medium.com/@chris_72272/what-is-the-fastest-node-js-hashing-algorithm-c15c1a0e164e

Thanks for the answer. Are this hashes also salted? Can they be considered as non-reversible. Because in some countries the reuqirements is hash+salted — bukso, Jul 21 '20 at 13:22
Neither of these algorithms is appropriate to pseudonymise ip addresses. — Bergi, Jul 21 '20 at 14:07

What is the fastest hash + salt for IP adresses? (Node.JS)

1 Answers1