3

A project I am working on uses Apache Shiro as a security framework. Passwords are SHA1 hashed (no salt, no iterations). Login is SSL secured. However, the remaining part of the application is not SSL secured. In this context (no SSL) there should be a form where a user can change the password. Since it wouldn't be a good idea to transmit it plainly it should be hashed on the client and then transmitted to the server. As the client is GWT (2.3) based, I am trying this library http://code.google.com/p/gwt-crypto, which uses code from bouncycastle. However, in many cases (not all) the hashes generated by both frameworks differ in 1-4(?) characters. For instance "happa3" is hashed to

"fe7f3cffd8a5f0512a5f1120f1369f48cd6f47c2"

by both implementations, whereas just "happa" is hashed to

"fb3c3a741b4e07a87d9cb68f3db020d6fbfed00a"

by the Shiro implementation and to 

"fb3c3a741b4e07a87d9cb63f3db020d6fbfed00a"

by the gwt-crypto implementation (23rd character differs). I wonder whether there is a "correct"/standard SHA1 hashing and whether there is a bug in one of the libraries or maybe my usage of them is flawed. One of my first thoughts was related to different encodings or strange conversions due to different transport mechanisms (RPC vs. Post). To my knowledge though (and what puzzles me most), SHA1 hashes should differ completely with a high probability if there is just a difference of a single bit. So different encodings shouldn't be the issue here. I am using this code on the client (GWT) for hashing:

String hashed = toHex(createSHA1Hash("password"));
...
private String createSHA1Hash(String passwordString){
    SHA1Digest sha1 = new SHA1Digest();
    byte[] bytes;
    byte[] result = new byte[sha1.getDigestSize()];
    try {
        bytes = passwordString.getBytes();
        sha1.update(bytes, 0, bytes.length);
        int val = sha1.doFinal(result, 0);
    } catch (UnsupportedEncodingException e) {}
    return new String(result);
}

public String toHex(String arg) {
    return new BigInteger(1, arg.getBytes()).toString(16);
}

And this on the server (Shiro):

 String hashed = new Sha1Hash("password").toHex()

which afaics does something very similar behind the scenes (had a quick view on the source code). Did I miss something obvious here?

EDIT: Seems like the GWT code does not run natively for some reason (i.e. just in development mode) and silently fails (it does compile, though). Have to find out why...

Edit(2): "int val = sha1.doFinal(result, 0);" is the line that makes trouble, i.e. if present, the whole code does not run natively (JS) but only in dev-mode (with wrong results)

user462982
  • 1,635
  • 1
  • 16
  • 26
  • 3
    The sha1 hashes you show for the Shiro implementation are correct. The slightly different sha1 hash you're getting from the gwt-crypto implementation indicates that *something* is seriously wrong. I don't know what it is. (Yes there is a correct standard sha1 hash value for any input; that's the whole point.) – Keith Thompson Aug 15 '11 at 23:21
  • You can check SHA-1 online (e.g. first google result: http://www.tools4noobs.com/online_php_functions/sha1/). Looks like Shiro is right and GWT is wrong, but not sure why. – Omri Barel Aug 15 '11 at 23:21
  • Yes, there is a correct hashing, and the gwt-crypto result is wrong. Considering the size of the test suite in the repo, I'm not at all surprised it's broken; there isn't a single test of sha-1. – Wooble Aug 15 '11 at 23:23
  • Try putting something in that exception handler. – Keith Thompson Aug 15 '11 at 23:23
  • (a)Wooble: There is a SHA1DigestTest there (http://code.google.com/p/gwt-crypto/source/browse/trunk/src/test/java/com/googlecode/gwt/crypto/bouncycastle/digests/SHA1DigestTest.java) but is seems, it does not test whether the algorithm produces correct results. In addition, it won't work when the input length is greater than the digest length. (a)Keith: Makes no difference, there is not exception. – user462982 Aug 15 '11 at 23:49
  • @user462982: FYI, you need to use "@Keith" if you want to notify me. – Keith Thompson Aug 16 '11 at 01:56
  • Is your registration page SSL? Why can't this page be SSL? – sourcedelica Aug 16 '11 at 03:26
  • Which version of GWT are you using? – Tahir Akhtar Aug 16 '11 at 11:16
  • @ericacm There is no particular reason, I just thought this way would be easier than securing RPC communication (login is not using RPC). – user462982 Aug 16 '11 at 16:02
  • @Keith Yeah, somehow, I didn't realize I could just write two comments... (it is not possible to have two "@" in a comment that why I reverted to "(a)") – user462982 Aug 16 '11 at 16:03
  • @user462982 thanks for the test case. I am adding it to the gwt-crypto code base and will see if I can fix it. – mooreds Aug 22 '11 at 00:27
  • Hi @user462982 I added your test strings to the gwt-crypto test and they pass, at least in the version in the svn head. What version are you running your test with? – mooreds Aug 22 '11 at 01:19
  • The latest from download: http://code.google.com/p/gwt-crypto/downloads/detail?name=gwt-crypto-2.3.0-20110518.123759-2.jar Haven't tried the SVN-version yet... – user462982 Aug 22 '11 at 14:58
  • I confirm that the latest SVN runs correctly with the happa example (development mode). It still does not run and silently fails when run as JS in the browser (tested with FF 5.0, Chrome 13.0.782.112) – user462982 Aug 22 '11 at 15:55

1 Answers1

2

You could test this version:

public class SHA1 {

    public static native String calcSHA1(String s) /*-{
        //
        // A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
        // in FIPS 180-1
        // Version 2.2 Copyright Paul Johnston 2000 - 2009.
        // Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
        // Distributed under the BSD License
        // See http://pajhome.org.uk/crypt/md5 for details.
        //

        //
        // Configurable variables. You may need to tweak these to be compatible with
        // the server-side, but the defaults work in most cases.
        //
        var hexcase = 0;  // hex output format. 0 - lowercase; 1 - uppercase        
        var b64pad  = ""; // base-64 pad character. "=" for strict RFC compliance   

        //
        // These are the functions you'll usually want to call
        // They take string arguments and return either hex or base-64 encoded strings
        //

        function b64_sha1(s)    { return rstr2b64(rstr_sha1(str2rstr_utf8(s))); }
        function any_sha1(s, e) { return rstr2any(rstr_sha1(str2rstr_utf8(s)), e); }
        function hex_hmac_sha1(k, d)
          { return rstr2hex(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d))); }
        function b64_hmac_sha1(k, d)
          { return rstr2b64(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d))); }
        function any_hmac_sha1(k, d, e)
          { return rstr2any(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d)), e); }

        //
        // Perform a simple self-test to see if the VM is working
        //
        function sha1_vm_test()
        {
          return hex_sha1("abc").toLowerCase() == "a9993e364706816aba3e25717850c26c9cd0d89d";
        }

        //
        // Calculate the SHA1 of a raw string
        //
        function rstr_sha1(s)
        {
          return binb2rstr(binb_sha1(rstr2binb(s), s.length * 8));
        }

        //
        // Calculate the HMAC-SHA1 of a key and some data (raw strings)
        //
        function rstr_hmac_sha1(key, data)
        {
          var bkey = rstr2binb(key);
          if(bkey.length > 16) bkey = binb_sha1(bkey, key.length * 8);

          var ipad = Array(16), opad = Array(16);
          for(var i = 0; i < 16; i++)
          {
            ipad[i] = bkey[i] ^ 0x36363636;
            opad[i] = bkey[i] ^ 0x5C5C5C5C;
          }

          var hash = binb_sha1(ipad.concat(rstr2binb(data)), 512 + data.length * 8);
          return binb2rstr(binb_sha1(opad.concat(hash), 512 + 160));
        }

        //
        // Convert a raw string to a hex string
        //
        function rstr2hex(input)
        {
          try { hexcase } catch(e) { hexcase=0; }
          var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
          var output = "";
          var x;
          for(var i = 0; i < input.length; i++)
          {
            x = input.charCodeAt(i);
            output += hex_tab.charAt((x >>> 4) & 0x0F)
                   +  hex_tab.charAt( x        & 0x0F);
          }
          return output;
        }

        //
        // Convert a raw string to a base-64 string
        //
        function rstr2b64(input)
        {
          try { b64pad } catch(e) { b64pad=''; }
          var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
          var output = "";
          var len = input.length;
          for(var i = 0; i < len; i += 3)
          {
            var triplet = (input.charCodeAt(i) << 16)
                        | (i + 1 < len ? input.charCodeAt(i+1) << 8 : 0)
                        | (i + 2 < len ? input.charCodeAt(i+2)      : 0);
            for(var j = 0; j < 4; j++)
            {
              if(i * 8 + j * 6 > input.length * 8) output += b64pad;
              else output += tab.charAt((triplet >>> 6*(3-j)) & 0x3F);
            }
          }
          return output;
        }

        //
        // Convert a raw string to an arbitrary string encoding
        //
        function rstr2any(input, encoding)
        {
          var divisor = encoding.length;
          var remainders = Array();
          var i, q, x, quotient;

          // Convert to an array of 16-bit big-endian values, forming the dividend 
          var dividend = Array(Math.ceil(input.length / 2));
          for(i = 0; i < dividend.length; i++)
          {
            dividend[i] = (input.charCodeAt(i * 2) << 8) | input.charCodeAt(i * 2 + 1);
          }

          //
          // Repeatedly perform a long division. The binary array forms the dividend,
          // the length of the encoding is the divisor. Once computed, the quotient
          // forms the dividend for the next step. We stop when the dividend is zero.
          // All remainders are stored for later use.
          //
          while(dividend.length > 0)
          {
            quotient = Array();
            x = 0;
            for(i = 0; i < dividend.length; i++)
            {
              x = (x << 16) + dividend[i];
              q = Math.floor(x / divisor);
              x -= q * divisor;
              if(quotient.length > 0 || q > 0)
                quotient[quotient.length] = q;
            }
            remainders[remainders.length] = x;
            dividend = quotient;
          }

          // Convert the remainders to the output string 
          var output = "";
          for(i = remainders.length - 1; i >= 0; i--)
            output += encoding.charAt(remainders[i]);

          // Append leading zero equivalents 
          var full_length = Math.ceil(input.length * 8 /
                                            (Math.log(encoding.length) / Math.log(2)))
          for(i = output.length; i < full_length; i++)
            output = encoding[0] + output;

          return output;
        }

        //
        // Encode a string as utf-8.
        // For efficiency, this assumes the input is valid utf-16.
        //
        function str2rstr_utf8(input)
        {
          var output = "";
          var i = -1;
          var x, y;

          while(++i < input.length)
          {
              // Decode utf-16 surrogate pairs 
            x = input.charCodeAt(i);
            y = i + 1 < input.length ? input.charCodeAt(i + 1) : 0;
            if(0xD800 <= x && x <= 0xDBFF && 0xDC00 <= y && y <= 0xDFFF)
            {
              x = 0x10000 + ((x & 0x03FF) << 10) + (y & 0x03FF);
              i++;
            }

            // Encode output as utf-8 
            if(x <= 0x7F)
              output += String.fromCharCode(x);
            else if(x <= 0x7FF)
              output += String.fromCharCode(0xC0 | ((x >>> 6 ) & 0x1F),
                                            0x80 | ( x         & 0x3F));
            else if(x <= 0xFFFF)
              output += String.fromCharCode(0xE0 | ((x >>> 12) & 0x0F),
                                            0x80 | ((x >>> 6 ) & 0x3F),
                                            0x80 | ( x         & 0x3F));
            else if(x <= 0x1FFFFF)
              output += String.fromCharCode(0xF0 | ((x >>> 18) & 0x07),
                                            0x80 | ((x >>> 12) & 0x3F),
                                            0x80 | ((x >>> 6 ) & 0x3F),
                                            0x80 | ( x         & 0x3F));
          }
          return output;
        }

        //
        // Encode a string as utf-16
        //
        function str2rstr_utf16le(input)
        {
          var output = "";
          for(var i = 0; i < input.length; i++)
            output += String.fromCharCode( input.charCodeAt(i)        & 0xFF,
                                          (input.charCodeAt(i) >>> 8) & 0xFF);
          return output;
        }

        function str2rstr_utf16be(input)
        {
          var output = "";
          for(var i = 0; i < input.length; i++)
            output += String.fromCharCode((input.charCodeAt(i) >>> 8) & 0xFF,
                                           input.charCodeAt(i)        & 0xFF);
          return output;
        }

        //
        // Convert a raw string to an array of big-endian words
        // Characters >255 have their high-byte silently ignored.
        //
        function rstr2binb(input)
        {
          var output = Array(input.length >> 2);
          for(var i = 0; i < output.length; i++)
            output[i] = 0;
          for(var i = 0; i < input.length * 8; i += 8)
            output[i>>5] |= (input.charCodeAt(i / 8) & 0xFF) << (24 - i % 32);
          return output;
        }

        //
        // Convert an array of big-endian words to a string
        //
        function binb2rstr(input)
        {
          var output = "";
          for(var i = 0; i < input.length * 32; i += 8)
            output += String.fromCharCode((input[i>>5] >>> (24 - i % 32)) & 0xFF);
          return output;
        }

        //
        // Calculate the SHA-1 of an array of big-endian words, and a bit length
        //
        function binb_sha1(x, len)
        {
            // append padding 
          x[len >> 5] |= 0x80 << (24 - len % 32);
          x[((len + 64 >> 9) << 4) + 15] = len;

          var w = Array(80);
          var a =  1732584193;
          var b = -271733879;
          var c = -1732584194;
          var d =  271733878;
          var e = -1009589776;

          for(var i = 0; i < x.length; i += 16)
          {
            var olda = a;
            var oldb = b;
            var oldc = c;
            var oldd = d;
            var olde = e;

            for(var j = 0; j < 80; j++)
            {
              if(j < 16) w[j] = x[i + j];
              else w[j] = bit_rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);
              var t = safe_add(safe_add(bit_rol(a, 5), sha1_ft(j, b, c, d)),
                               safe_add(safe_add(e, w[j]), sha1_kt(j)));
              e = d;
              d = c;
              c = bit_rol(b, 30);
              b = a;
              a = t;
            }

            a = safe_add(a, olda);
            b = safe_add(b, oldb);
            c = safe_add(c, oldc);
            d = safe_add(d, oldd);
            e = safe_add(e, olde);
          }
          return Array(a, b, c, d, e);

        }

        //
        // Perform the appropriate triplet combination function for the current
        // iteration
        //
        function sha1_ft(t, b, c, d)
        {
          if(t < 20) return (b & c) | ((~b) & d);
          if(t < 40) return b ^ c ^ d;
          if(t < 60) return (b & c) | (b & d) | (c & d);
          return b ^ c ^ d;
        }

        //
        // Determine the appropriate additive constant for the current iteration
        //
        function sha1_kt(t)
        {
          return (t < 20) ?  1518500249 : (t < 40) ?  1859775393 :
                 (t < 60) ? -1894007588 : -899497514;
        }

        //
        // Add integers, wrapping at 2^32. This uses 16-bit operations internally
        // to work around bugs in some JS interpreters.
        //
        function safe_add(x, y)
        {
          var lsw = (x & 0xFFFF) + (y & 0xFFFF);
          var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
          return (msw << 16) | (lsw & 0xFFFF);
        }

        //
        // Bitwise rotate a 32-bit number to the left.
        //
        function bit_rol(num, cnt)
        {
          return (num << cnt) | (num >>> (32 - cnt));
        }

        return rstr2hex(rstr_sha1(str2rstr_utf8(s))); 
    }-*/;
}

I'm using it in my client side sha generation and it worked well.

thomas
  • 164
  • 1
  • 2
  • mmhmm ... I think I can remember that gwt-crypto didn't compute the right hash when I tested it half a year ago ... I guess that's the reason why I used the code above – thomas Aug 21 '11 at 10:01