Skip to content

Instantly share code, notes, and snippets.

@mba7
Forked from skeggse/crypto-pbkdf2-example.js
Last active October 12, 2020 14:39
Show Gist options
  • Save mba7/979e6c3fe715fc618549fae4d09019ef to your computer and use it in GitHub Desktop.
Save mba7/979e6c3fe715fc618549fae4d09019ef to your computer and use it in GitHub Desktop.
Example of using crypto.pbkdf2 to hash and verify passwords asynchronously using bluebird promise, while storing the hash and salt in a single combined buffer along with the original hash settings
var Promise = require('bluebird');
var crypto = Promise.promisifyAll(require("crypto"));
// http://security.stackexchange.com/questions/110084/parameters-for-pbkdf2-for-password-hashing
var config = {
hashBytes : 64, // size of the generated hash (to be chosen accordint the the chosen algo)
saltBytes : 16, // sise of the salt : larger salt means hashed passwords are more resistant to rainbow table
iterations : 500000, // tune so that hashing the password takes about 1 second
algo :'sha512',
encoding : 'base64' // hex is readable but base64 is shorter
};
/**
* Hash a password using Node's asynchronous pbkdf2 (key derivation) function.
*
* Returns promise with a self-contained buffer encoded with config.encoding
* that contains all the data needed to verify a password:
-----------------------
| SaltLen | 4 |
-----------------------
| Salt | saltBytes |
-----------------------
| HashLen | 4 |
-----------------------
| Salt | hashBytes |
- ---------------------
*/
function hashPassword(password) {
return crypto.randomBytesAsync(config.saltBytes)
.then(function(vsalt) {
salt = vsalt;
return crypto.pbkdf2Async(password, salt, config.iterations, config.hashBytes, config.algo)
})
.then(function(hash) {
var array = new ArrayBuffer(hash.length + salt.length + 8);
var hashframe = Buffer.from(array);
// extract parameters from buffer
hashframe.writeUInt32BE(salt.length, 0, true);
hashframe.writeUInt32BE(config.iterations, 4, true);
salt.copy(hashframe, 8);
hash.copy(hashframe, salt.length + 8);
return hashframe.toString(config.encoding);
});
}
/**
* Verify a password using Node's asynchronous pbkdf2 (key derivation) function.
*
* Accepts a hash and salt generated by hashPassword, and returns whether the
* hash matched the password (as a resolved promise).
*/
function verifyPassword(password, hashframe) {
// decode and extract hashing parameters
hashframe = Buffer.from(hashframe, config.encoding);
var saltBytes = hashframe.readUInt32BE(0);
var hashBytes = hashframe.length - saltBytes - 8;
var iterations = hashframe.readUInt32BE(4);
var salt = hashframe.slice(8, saltBytes + 8);
var hash = hashframe.slice(8 + saltBytes, saltBytes + hashBytes + 8);
// verify the salt and hash against the password
return crypto.pbkdf2Async(password, salt, iterations, hashBytes, config.algo)
.then(function(verify) {
if (verify.equals(hash)) return Promise.resolve(true);
return Promise.reject( new Error("wrong password")) ;
})
}
exports.hashPassword = hashPassword;
exports.verifyPassword = verifyPassword;
// used for testing
/*console.time("hash");
hashPassword("abc")
.then(function(hash) {
console.log("hashframe", hashframe.toString(config.encoding));
console.timeEnd("hash");
return verifyPassword("abc", hash);
})
.then(function() { console.log("password correct");})
.catch(function(err) { console.log("err", err);})
*/
@Globik
Copy link

Globik commented Dec 27, 2016

Is it a scmp module?

@BenjaminConant
Copy link

BenjaminConant commented Jan 17, 2017

line 77
console.log("hashframe", hashframe.toString(config.encoding));
should be
console.log("hashframe", hash.toString(config.encoding));

or better yet

console.log("hash", hash); as hashPassword("abc") returns a string

@yunstr
Copy link

yunstr commented Jun 14, 2017

This is great! What is the license on this code?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment