Skip to main content
Version: 3.x

Hashing

In this section, we will dive into various methods for applying cryptographic hashes both generically and securely. We will cover best practices to ensure that the hashing process is robust against common vulnerabilities. Additionally, we will explore secure techniques for comparing hash values, focusing on the use of time-safe comparison functions to prevent timing attacks. These methods are crucial for ensuring the integrity and security of sensitive data in cryptographic operations.

Create a custom HASH

Generic

Method to create a hash of a text where you could choose the desires hash algorithm to use sha1, sha256, sha3-256,...

createCustomHash

public createCustomHash (
algorithm: string,
data: string | Buffer,
options?: GenericOptionsInterface,
): Buffer;

Parameters:

NameTypeDefaultDescription
algorithm RequiredstringDigest algorithm to use (sha1, sha256, sha3-256,...)
data Requiredstring | BufferString or buffer to hash
optionsGenericOptions{}Optional configuration object for input data encoding and output

Options:

NameTypeDefaultDescription
inputDataEncodingBufferEncodingSpecifies the encoding of the input data (e.g., 'hex', 'base64').
outputLengthnumberOption to specify the desired output length in bytes when using XOF hash functions. For example: shake256

Outputs:

As output, it will return a Buffer <Buffer cc 2b.....cd a1 08>

Usage:

async hashUserPasswrd(
plainPassword: string,
): string {
const hashedPassword = this.cryptographyService.createCustomHash(
'sha256',
plainPassword,
{
inputDataEncoding: 'utf-8',
}
);
return hashedPassword.toString('hex')
}

Verify a custom HASH

Generic

Method to verify if an existing hash matches the hash of the desired text. You need choose the existing hash algorithm type used sha1, sha256, sha3-256,...

verifyCustomHash

public verifyCustomHash (
algorithm: string,
data: string | Buffer,
oldHash: string | Buffer,
options?: GenericOptionsInterface,
): boolean;

Parameters:

NameTypeDefaultDescription
algorithm RequiredstringDigest algorithm to use (sha1, sha256, sha3-256,...)
data Requiredstring | BufferString or buffer to hash
oldHash Requiredstring | BufferString or buffer of the existing hash
optionsGenericOptions{}Optional configuration object for input data encoding and output

Options:

NameTypeDefaultDescription
inputDataEncodingBufferEncodingSpecifies the encoding of the input data (e.g., 'hex', 'base64').
outputLengthnumberOption to specify the desired output length in bytes when using XOF hash functions. For example: shake256

Outputs:

As output, it will return true if both matches, or false if not.

This method uses a time-safe comparison function to prevent timing attacks

Usage:

async checkUserPassword(
plainPassword: string,
hashedPassword: string,
): boolean {
return this.cryptographyService.verifyCustomHash(
'sha256',
Buffer.from(plainPassword, 'utf-8'),
Buffer.from(bufferExistingHash, 'hex'),
);
}

Create a secure HASH

Recommended

Method to create an extra secure hash of a text.

In this case the XOF hash function shake256 will be used, producing and output of 384 bits length.

createSecureHash

public createCustomHash (
data: string | Buffer,
options?: GenericOptionsInterface,
): Buffer;

Parameters:

NameTypeDefaultDescription
data Requiredstring | BufferString or buffer to hash
optionsGenericOptions{}Optional configuration object for input data encoding and output

Options:

NameTypeDefaultDescription
inputDataEncodingBufferEncodingSpecifies the encoding of the input data (e.g., 'hex', 'base64').

Outputs:

As output, it will return a Buffer <Buffer cc 2b.....cd a1 08>

Usage:

async secureHashUserPasswrd(
plainPassword: string,
): string {
const hashedPassword = this.cryptographyService.createSecureHash(
plainPassword,
{
inputDataEncoding: 'utf-8',
}
);
return hashedPassword.toString('hex')
}

Verify a secure HASH

Recommended

Method to verify if an existing hash matches the hash of the desired text.

warning

Remember that the previous hash must have been generated using createSecureHash method.

verifySecureHash

public verifySecureHash (
data: string | Buffer,
oldHash: string | Buffer,
options?: GenericOptionsInterface,
): boolean;

Parameters:

NameTypeDefaultDescription
data Requiredstring | BufferString or buffer to hash
oldHash Requiredstring | BufferString or buffer of the existing hash
optionsGenericOptions{}Optional configuration object for input data encoding and output

Options:

NameTypeDefaultDescription
inputDataEncodingBufferEncodingSpecifies the encoding of the input data (e.g., 'hex', 'base64').

Outputs:

As output, it will return true if both matches, or false if not.

This method uses a time-safe comparison function to prevent timing attacks

Usage:

async checkUserPassword(
plainPassword: string,
hashedPassword: string,
): boolean {
const bufferExistingHash = Buffer.from(hashedPassword, 'hex');
const bufferPlainPassword = Buffer.from(plainPassword, 'utf-8');

return this.cryptographyService.verifySecureHash(
bufferPlainPassword,
bufferExistingHash
);
}

🛟 Tips

Remember that...
info

Remember that buffers could be transformed to utf8, hex, base64, latin,... using the toString() method.

let passwordAsBuffer: Buffer = someMethodThatReturnsABuffer();

console.log(passwordAsBuffer.toString('hex')) // f32.....4ee
console.log(passwordAsBuffer.toString('base64')) // 8OI.....ZQ=