PHP function crypt() in JavaScript

问题

On the server side I create a password hash:

public static function salt()
{
    return '$1$' . StringUtil::random(6, array('encode' => StringUtil::ENCODE_BASE_64));
}

public static function hash($password, $salt = null)
{
    return crypt($password, $salt ?: static::salt());
}

And on client side I want to do the same using CryptoJS. Is there any analogues in javascript for PHP crypt(), not necessary with CryptoJS?

UPD: I want to do this on client side because I don't want to send password to server, but something like clientId crypted with hash, decrypt it on the server and get the hash for the next manipulations.

回答1:

Well, here it is: a CryptoJS implementation of PHP's crypt for MD5-hashes (I guess it's too large to paste). So it's not a complete crypt-like thing but in your code example you are setting up a MD5-based hash (with the $1$ salt prefix).

How to use it:

1. Store in a file named php-crypt-md5.js

2. Use it like that ("rollups" is in your CryptoJS directory, just use the correct path):

   <script src="rollups/md5.js"></script>
   <script src="php-crypt-md5.js"></script>
   
   <script>
       function createSalt(len) {
           var saltAlpha = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
               "abcdefghijklmnopqrstuvwxyz./-+_"
   
           var salt = '$1$';
           for(var i = 0; i < len; ++i) {
               salt += saltAlpha.charAt(
                   Math.floor(Math.random() * saltAlpha.length));
           }
   
           return salt;
       }
   
       // in your JavaScript code:
   
       var salt = createSalt(8);
       var pw = "your password";
   
       var hash = CryptoJS.PHP_CRYPT_MD5(pw, salt);
   

回答2:

What's the point of encrypting at the client and then decrypting at the server? This is not security, if all the information for encryption is client side, all someone needs to do is look at the JS source to see what your salt is, there is no security there.

The whole point is to send some data (over a secured channel, like https) to the server, then have the server hash it, and compare that hash to something you already have stored.

The security comes from what happens at the server, not from what you do to the data before you send it. A secure connection will prevent man-in-the-middle listening, but anything you have at the client is out in the open, and in no way contributes to security, unless you're using not-in-the-browser information (like having someone paste in their PGP public key along with whatever you send, with the server already knowing this person's PGP private key for authentication verification) in which case the actual data becomes irrelevant because the public key is now the important part...

So yeah, don't do this. It makes you believe you're being extra secure, when in fact you only made things worse.

来源：https://stackoverflow.com/questions/16996030/php-function-crypt-in-javascript