比较哈希

Question

I m trying to compare a hash of password created from nodeJs crypto module's PBKDF2sync function with the one store in my database using "===". But I am getting false. I have checked using console.log that salt for both are equal but still showing false. I dont understand what's happening?

When I try to console.log the hash from the PBKSF2sync function I get this thing on my terminal

<SlowBuffer bf 36 32 7e b8 8e 6d a7 8f 8a 9d cb 7e 99 11 47 a7 17 80 17 df ef 8b b4 36 f1 18 1d c5 de ab 1e b3 69 f1 2f 1a 20 09 1f e6 2c c6 2e e9 ca 1f 5a 58 19 46 ...>

Is this the reason why I am getting false. Please help me.

Answer 1

The === also makes sure both datatypes match precisely, so if say one is a buffer and the other a (typed) array then these may have similar content but will still fail to compare.

You could either use == to compare which will try to convert both to a matching type but is unsafe thus not advised in hash operations or you just convert both to the same type before comparing them.

Answer 2

The problem was that I was storing the password in database as string and the PBKDF2sync function was returning me an buffer . So === wasn't working. Thanks to some readings I did I figured it out and after returning the PBKDF2 has I just used .toString() on it and it worked.

Hope this solves any problem that anyone else might be having on the same subject.

Answer 3

Please, refrain from using === for hash comparison, as it opens window for timing attacks, using crypto.timingSafeEqual is a better alternative

Refer to this thread for more information on why you should use it