0

Hello I have this Java code which uses the following encryption method to encrypt password.

 MessageDigest digester = MessageDigest.getInstance("SHA-1");
 value = digester.digest(password.getBytes());
 digester.update(email.getBytes());
 value = digester.digest(value);

This returns base64 encoded string like qXO4aUUUyiue6arrcLAio+TBNwQ= This is sample not exact.

I am converting this to NodeJs not sure how to handle this. I have tried like 

var crypto = require('crypto');
var shasum = crypto.createHash('sha1'); 
var value = shasum.update('hello'); 
shasum.update('abc@xyz.com'); 
value = shasum.digest(value).toString('base64'); 
console.log(value);

The string base64 I get in node js is not similar to get from java. Not sure why?. I need to have same encoding as java as its old system migrated to new one cant lose old details.

Can someone help me how I can achieve same base64 string.

Bhushan
  • 95
  • 3
  • 13
  • In any case, SHA-1 is an awful idea for password hashing. It's a weak fast hash, not a password hash. Use Bcrypt at least. – Alexander O'Mara Nov 18 '16 at 18:03
  • Yes I know I cant change because the old users to be migrated are registered with this method and cant loose those. thats why I need to keep this method – Bhushan Nov 18 '16 at 19:44
  • 1
    In the java code you seem to be doing the following: Compute the digest of password, update the digester with email , then compute the final digest. The final digest here is actually - digest of (digest of password+email). In your node.js code it is - digest of(password+email). Did you notice that or am I missing something ? – Roshith Nov 21 '16 at 13:03

1 Answers1

0

In Java you're calculating the first value as the hash of the password alone, then overwrite it with hash of the email alone. (digest gives the result and resets the hash, in Java).

In Javascript, on the other hand, you're having an undefined value, then overwrite it with the hash of (password concatenated with email).

PS that hash is conceptually wrong: you should always put a separator between two fields, to avoid ambiguity and, thus, possible attacks.

lapo
  • 3,136
  • 26
  • 34