27

I can make an HMAC using the following:

var encrypt = crypto.createHmac("SHA256", secret).update(string).digest('base64');

I am trying to decrypt an encoded HMAC with the secret:

var decrypt = crypto.createDecipher("SHA256", secret).update(string).final("ascii");

The following was unsuccessful. How can I decrypt a HMAC with the key?

I get the following error:

node-crypto : Unknown cipher SHA256

crypto.js:155
  return (new Decipher).init(cipher, password);
                        ^
Error: DecipherInit error
ThomasReggi
  • 55,053
  • 85
  • 237
  • 424

4 Answers4

77

HMAC is a MAC/keyed hash, not a cipher. It's not designed to be decrypted. If you want to encrypt something, use a cipher, like AES, preferably in an authenticated mode like AES-GCM.

Even knowing the key, the only way to "decrypt" is guessing the whole input and then comparing the output.

CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
  • 3
    Even then, you cannot decrypt it because multiple keys can hash to the same value. A hash is a one-way function. For more information: http://en.wikipedia.org/wiki/Hash_function – Justin Ethier Jan 08 '13 at 16:00
  • 4
    @JustinEthier In many cases the input space is small enough that guessing works. In practice you will never guess a wrong input with the correct hash. You will either guess the correct input, or you won't find a matching input at all. | But since HMAC is keyed, only those who know the key can use this guessing attack, so this usually isn't a problem (with unkeyed hashes guessing the input is often a problem). – CodesInChaos Jan 08 '13 at 16:01
  • Hmm, true, I've moved forward since that comment, destroying it. – Maarten Bodewes Mar 22 '16 at 20:54
67

Again to reiterate hashes aren't designed to be decrypted. However once you have a hash you can check any string is equal to that hash by putting it through the same encryption with the same secret.

var crypto = require('crypto')

var secret = 'alpha'
var string = 'bacon'

var hash = crypto.createHmac('SHA256', secret).update(string).digest('base64');
// => 'IbNSH3Lc5ffMHo/wnQuiOD4C0mx5FqDmVMQaAMKFgaQ='

if (hash === crypto.createHmac('SHA256', secret).update(string).digest('base64')) {
  console.log('match') // logs => 'match'
} else {
  console.log('no match')
}

Seems obvious, but very powerful.

ThomasReggi
  • 55,053
  • 85
  • 237
  • 424
  • 10
    This answer deserves more love. The other answers diverge and talk about ciphering, whereas this nicely explains how an HMAC itself should be used. – Zaccone Feb 29 '16 at 16:50
  • 1
    Be careful to use a comparison function that doesn't leak how many characters match via timing. – CodesInChaos Mar 22 '16 at 15:46
  • @CodesInChaos Care to explain a bit more? What are the implications? – TheRealChx101 Aug 31 '21 at 03:24
  • 1
    @TheRealChx101 He Probably meant that one could consider using `timingSafeEqual` (also part of 'crypto' module) to prevent a timing attack: the speed at which the hash is calculated is dependent upon its inputs thus can give clues as to the contents. – Darren S Nov 13 '21 at 05:30
  • So is it safe to just use the nodejs crypto module to hash passwords of users before storing in the DB or in what ways is bcrypt superior?? – hane Smitter Nov 26 '22 at 21:53
  • How do i set the key type to hex? – kd12345 Dec 15 '22 at 11:14
3

As already been stated by CodesInChaos, HMAC with SHA256 can only be used to hash a value, which is a one-way trip only. If you want to be able to encrypt/decrypt you will have to use a cipher, such as aes or des.

Example on how encryption/decryption:

const crypto = require("crypto");

// key and iv   
var key = crypto.createHash("sha256").update("OMGCAT!", "ascii").digest();
var iv = "1234567890123456";

// this is the string we want to encrypt/decrypt
var secret = "ermagherd";

console.log("Initial: %s", secret);

// create a aes256 cipher based on our password
var cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
// update the cipher with our secret string
cipher.update(secret, "ascii");
// save the encryption as base64-encoded
var encrypted = cipher.final("base64");

console.log("Encrypted: %s", encrypted);

// create a aes267 decipher based on our password
var decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
// update the decipher with our encrypted string
decipher.update(encrypted, "base64");

console.log("Decrypted: %s", decipher.final("ascii"));

Note: You have to save the cipher/decipher into their own variable, and also make sure not to chain .final after .update.

If you want to know what ciphers are available on your system, use the following command: 

openssl list-cipher-algorithm
Community
  • 1
  • 1
mekwall
  • 28,614
  • 6
  • 75
  • 77
  • Which chaining mode does that use? The lack of salt/iv is weird too. – CodesInChaos Jan 08 '13 at 16:51
  • @CodesInChaos `.update` doesn't return a Cipher object, so you can't do `.update(data).final()` as in his example. The lack of salt/iv isn't weird? You'd have to use `.createCipheriv` and `.createDecipheriv` for that. – mekwall Jan 08 '13 at 17:23
  • 2
    I asked for the cryptographic chaining mode. You can't just encrypt data with AES, you need a chaining mode and a padding mode. For example ECB, CBC, GCM,... are common chaining modes. ECB is broken, and when using CBC you usually need to add authentication by yourself, which you didn't. | Encrypting with a password and no salt is weird. Unless the API creates a different salt for each call internally, that's a security weakness. | So your code has good chances of being insecure by using a bad mode or the lack of salt/IV. – CodesInChaos Jan 08 '13 at 17:32
  • @CodesInChaos Oh, sorry for misunderstanding. It's autopadded and uses ECB per default. Didn't know that ECB was broken, so will change to CBC. As for key and iv, they are derived from the password (so it matches his example). As for authentication, this doesn't seem to be necessary in this case. – mekwall Jan 08 '13 at 18:06
  • 1
    Encryption without authentication is broken in many use cases. You can simply use a padding oracle(or similar) to get the recipient to decrypt it for you. | Deriving key+iv deterministically from the password means that you should only encrypt a single message with that password, since else you reuse a key+iv pair, which is bad. | Seems like the node.js crypto API is badly designed[like so many other crypto libs], since it's easy to create weak encryption with it, and hard to create strong encryption. – CodesInChaos Jan 08 '13 at 18:10
  • -1 (sorry) for insecure example on how to use cryptography. It's not as broken as the examples in the official PHP API, but that's about it. – Maarten Bodewes Jan 09 '13 at 21:59
  • @owlstead Updated to use key/iv. When it comes to authentication, I don't really think it's relevant to his question. – mekwall Jan 10 '13 at 11:15
  • 1
    @MarcusEkwall OK, removed downvote, but it should be a secure random IV, of course. Static IV's are of little help. If possible, you should also deploy a PBKDF instead of a hash to derive the key, but that is of somewhat less significance - if the password has enough entropy of course. – Maarten Bodewes Jan 11 '13 at 00:44
  • Clean-up of code to minimum w/o no need to introduce new concept iv: – KK. Oct 03 '17 at 03:52
  • Not worked for long strings (secret). Needed update and final concatenate into a result: var encrypted = cipher.update(secret, "ascii", "base64") + cipher.final("base64"); var decrypted = decipher.update(encrypted, "base64", "ascii") + decipher.final("ascii"); – TatianaP Jan 09 '19 at 17:31
-4

Clean-up of code for a Minimalist View and removal of clutter: note: IIFE runnable in node repl "As Is"

!function(){

const crypto = require("crypto");

// key 
var key = crypto.createHash("sha256").digest();


 // this is the string we want to encrypt/decrypt
 var secret = "ermagherd";

 console.log("Initial: %s", secret);

// create a aes256 cipher based on our password
var cipher = crypto.createCipher("aes-256-cbc", key);

// update the cipher with our secret string
cipher.update(secret);

// save the encryption 
var encrypted = cipher.final();

console.log("Encrypted: %s", encrypted);

// create a aes267 decipher based on our password
 var decipher = crypto.createDecipher("aes-256-cbc", key);

// update the decipher with our encrypted string
decipher.update(encrypted);

console.log("Decrypted: %s", decipher.final()); //default is utf8 encoding   final("utf8") not needed for default

}()

/*  REPL Output

            Initial: ermagherd
    Encrypted: T)��l��Ʀ��,�'
    Decrypted: ermagherd
    true
*/
KK.
  • 693
  • 6
  • 15