Hashing
In this section, we will dive into various methods for applying cryptographic hashes both generically and securely. We will cover best practices to ensure that the hashing process is robust against common vulnerabilities. Additionally, we will explore secure techniques for comparing hash values, focusing on the use of time-safe comparison functions to prevent timing attacks. These methods are crucial for ensuring the integrity and security of sensitive data in cryptographic operations.
Create a custom HASH
Generic
Method to create a hash of a text where you could choose the desires hash algorithm to use sha1, sha256, sha3-256,...
createCustomHash
public createCustomHash (
algorithm: string,
data: string | Buffer,
options?: GenericOptionsInterface,
): Buffer;
Parameters:
| Name | Type | Default | Description |
|---|---|---|---|
| algorithm Required | string | Digest algorithm to use (sha1, sha256, sha3-256,...) | |
| data Required | string | Buffer | String or buffer to hash | |
| options | GenericOptions | {} | Optional configuration object for input data encoding and output |
Options:
| Name | Type | Default | Description |
|---|---|---|---|
| inputDataEncoding | BufferEncoding | Specifies the encoding of the input data (e.g., 'hex', 'base64'). | |
| outputLength | number | Option to specify the desired output length in bytes when using XOF hash functions. For example: shake256 |
Outputs:
As output, it will return a Buffer <Buffer cc 2b.....cd a1 08>
Usage:
async hashUserPasswrd(
plainPassword: string,
): string {
const hashedPassword = this.cryptographyService.createCustomHash(
'sha256',
plainPassword,
{
inputDataEncoding: 'utf-8',
}
);
return hashedPassword.toString('hex')
}
Verify a custom HASH
Generic
Method to verify if an existing hash matches the hash of the desired text.
You need choose the existing hash algorithm type used sha1, sha256, sha3-256,...
verifyCustomHash
public verifyCustomHash (
algorithm: string,
data: string | Buffer,
oldHash: string | Buffer,
options?: GenericOptionsInterface,
): boolean;
Parameters:
| Name | Type | Default | Description |
|---|---|---|---|
| algorithm Required | string | Digest algorithm to use (sha1, sha256, sha3-256,...) | |
| data Required | string | Buffer | String or buffer to hash | |
| oldHash Required | string | Buffer | String or buffer of the existing hash | |
| options | GenericOptions | {} | Optional configuration object for input data encoding and output |
Options:
| Name | Type | Default | Description |
|---|---|---|---|
| inputDataEncoding | BufferEncoding | Specifies the encoding of the input data (e.g., 'hex', 'base64'). | |
| outputLength | number | Option to specify the desired output length in bytes when using XOF hash functions. For example: shake256 |
Outputs:
As output, it will return true if both matches, or false if not.
This method uses a time-safe comparison function to prevent timing attacks
Usage:
async checkUserPassword(
plainPassword: string,
hashedPassword: string,
): boolean {
return this.cryptographyService.verifyCustomHash(
'sha256',
Buffer.from(plainPassword, 'utf-8'),
Buffer.from(bufferExistingHash, 'hex'),
);
}
Create a secure HASH
Recommended
Method to create an extra secure hash of a text.
In this case the XOF hash function shake256 will be used, producing and output of 384 bits length.
createSecureHash
public createCustomHash (
data: string | Buffer,
options?: GenericOptionsInterface,
): Buffer;
Parameters:
| Name | Type | Default | Description |
|---|---|---|---|
| data Required | string | Buffer | String or buffer to hash | |
| options | GenericOptions | {} | Optional configuration object for input data encoding and output |
Options:
| Name | Type | Default | Description |
|---|---|---|---|
| inputDataEncoding | BufferEncoding | Specifies the encoding of the input data (e.g., 'hex', 'base64'). |
Outputs:
As output, it will return a Buffer <Buffer cc 2b.....cd a1 08>
Usage:
async secureHashUserPasswrd(
plainPassword: string,
): string {
const hashedPassword = this.cryptographyService.createSecureHash(
plainPassword,
{
inputDataEncoding: 'utf-8',
}
);
return hashedPassword.toString('hex')
}
Verify a secure HASH
Recommended
Method to verify if an existing hash matches the hash of the desired text.
Remember that the previous hash must have been generated using createSecureHash method.
verifySecureHash
public verifySecureHash (
data: string | Buffer,
oldHash: string | Buffer,
options?: GenericOptionsInterface,
): boolean;
Parameters:
| Name | Type | Default | Description |
|---|---|---|---|
| data Required | string | Buffer | String or buffer to hash | |
| oldHash Required | string | Buffer | String or buffer of the existing hash | |
| options | GenericOptions | {} | Optional configuration object for input data encoding and output |
Options:
| Name | Type | Default | Description |
|---|---|---|---|
| inputDataEncoding | BufferEncoding | Specifies the encoding of the input data (e.g., 'hex', 'base64'). |
Outputs:
As output, it will return true if both matches, or false if not.
This method uses a time-safe comparison function to prevent timing attacks
Usage:
async checkUserPassword(
plainPassword: string,
hashedPassword: string,
): boolean {
const bufferExistingHash = Buffer.from(hashedPassword, 'hex');
const bufferPlainPassword = Buffer.from(plainPassword, 'utf-8');
return this.cryptographyService.verifySecureHash(
bufferPlainPassword,
bufferExistingHash
);
}
🛟 Tips
Remember that...
Remember that buffers could be transformed to utf8, hex, base64, latin,... using the toString() method.
let passwordAsBuffer: Buffer = someMethodThatReturnsABuffer();
console.log(passwordAsBuffer.toString('hex')) // f32.....4ee
console.log(passwordAsBuffer.toString('base64')) // 8OI.....ZQ=