0

I am using the SHA512 hash to transfer some encrypted data between my app and it's backend. However, I'm having a odd situation and have no idea what might be causing it.

So, I've got following setups tested:

Android 2x SHA512

Android 1x SHA512 -> CryptoJS 1x SHA512

PHP 2x SHA512

So, when I do the first 2x Android hashing, I get the same result as when I do the 1x android -> 1x cryptojs. However, when I do the PHP 2x, I get the same result as I get on the first Android pass, but the second encryption pass of the PHP is different.

On PHP, I've tried both the hash() and openssl_digest() functions with raw bytes as output.

PHP:

$firstpass = base64_encode(hash('sha512', $enteredPassword, true));
//$firstpass = base64_encode(hash('sha512', $enteredPassword, true));

//$secondpass = base64_encode(openssl_digest($firstpass, 'sha512', true));
$secondpass = base64_encode(hash('sha512', $firstpass, true));

Android:

public static String encryptPassword(String password) {
    MessageDigest md = null;
    try {
        md = MessageDigest.getInstance("SHA-512");
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
    if (md != null) {
        md.update(password.getBytes());
        byte byteData[] = md.digest();
        String base64 = Base64.encodeToString(byteData, Base64.DEFAULT);

        return base64;
    }
    return password;
}

CryptoJS:

var password = cryptojs.SHA512(req.params.password);
var basepassword = password.toString(cryptojs.enc.Base64);

Why would my first hash be correct and my second not and how could I fix this?

Myth1c
  • 639
  • 1
  • 7
  • 23

1 Answers1

0

SHA1 is not made for security, don't use it for this. Grab any implementation of BCrypt and do security right. As for the different hashes: Most likely an encoding issue related to Strings.

meredrica
  • 2,563
  • 1
  • 21
  • 24
  • I'm just trying to find out why I can't get these to match, but I'll check out BCrypt as well. I found out that the 2x Android and Android->CryptoJS had a newline in the base64 string, but the PHP version did not have any newlines in the base64 :S – Myth1c Apr 18 '14 at 12:27
  • Then i was not too far off with encoding ;) – meredrica Apr 18 '14 at 12:43
  • Yeah, but I still have no clue why the PHP doesn't have the newline chars :( – Myth1c Apr 18 '14 at 12:48
  • 1
    BASE64 encoding sometimes produces a defined length of line and enters a newline. this can be turned off for every library. In your case: `Base64.encodeToString(byteData, Base64.NO_WRAP)` – meredrica Apr 18 '14 at 12:49
  • Damn, that was the solution!!! I set the Base64.DEFAULT to Base64.NO_WRAP on Android and it was solved! Thanks a bunch! – Myth1c Apr 18 '14 at 13:17