PHP function crypt() in JavaScript

Question

On the server side I create a password hash:

public static function salt()
{
    return '$1$' . StringUtil::random(6, array('encode' => StringUtil::ENCODE_BASE_64));
}

public static function hash($password, $salt = null)
{
    return crypt($password, $salt ?: static::salt());
}

And on client side I want to do the same using CryptoJS. Is there any analogues in javascript for PHP crypt(), not necessary with CryptoJS?

UPD: I want to do this on client side because I don't want to send password to server, but something like clientId crypted with hash, decrypt it on the server and get the hash for the next manipulations.

You could just make an ajax call and use your php library. That will endure consistency. — John Conde
– John Conde, Commented Jun 8, 2013 at 4:27
@matr0sk1n: You are doing this to prevent sending the password over the wire? If you submit the hash for authentication and the server just does a simple string compare, you are actually decreasing security because the hash now becomes your password. And the properties of the hash are better known and more limited than those of a real password (less guesswork by the attacker). Use SSL if security is a concern for you. — vstm
– vstm, Commented Jun 8, 2013 at 4:57
Hm, I wrote a bit wrong! I want to send not the hash but something like clientId crypted with hash, decrypt on the server, get hash and compare it. — matr0sk1n
– matr0sk1n, Commented Jun 8, 2013 at 5:11

vstm · Accepted Answer · 2013-06-08 18:31:58Z

Well, here it is: a CryptoJS implementation of PHP's crypt for MD5-hashes (I guess it's too large to paste). So it's not a complete crypt-like thing but in your code example you are setting up a MD5-based hash (with the $1$ salt prefix).

How to use it:

Store in a file named php-crypt-md5.js

Use it like that ("rollups" is in your CryptoJS directory, just use the correct path):

<script src="rollups/md5.js"></script>
<script src="php-crypt-md5.js"></script>

<script>
    function createSalt(len) {
        var saltAlpha = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
            "abcdefghijklmnopqrstuvwxyz./-+_"

        var salt = '$1$';
        for(var i = 0; i < len; ++i) {
            salt += saltAlpha.charAt(
                Math.floor(Math.random() * saltAlpha.length));
        }

        return salt;
    }

    // in your JavaScript code:

    var salt = createSalt(8);
    var pw = "your password";

    var hash = CryptoJS.PHP_CRYPT_MD5(pw, salt);

Mike 'Pomax' Kamermans · Accepted Answer · 2013-06-08 14:54:26Z

What's the point of encrypting at the client and then decrypting at the server? This is not security, if all the information for encryption is client side, all someone needs to do is look at the JS source to see what your salt is, there is no security there.

The whole point is to send some data (over a secured channel, like https) to the server, then have the server hash it, and compare that hash to something you already have stored.

The security comes from what happens at the server, not from what you do to the data before you send it. A secure connection will prevent man-in-the-middle listening, but anything you have at the client is out in the open, and in no way contributes to security, unless you're using not-in-the-browser information (like having someone paste in their PGP public key along with whatever you send, with the server already knowing this person's PGP private key for authentication verification) in which case the actual data becomes irrelevant because the public key is now the important part...

So yeah, don't do this. It makes you believe you're being extra secure, when in fact you only made things worse.

Collectives™ on Stack Overflow

PHP function crypt() in JavaScript

2 Answers 2

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related