hash password using aws-crypto

1
votes

I wonder how one would hash a password using aws-crypto (aws-encryption-sdk-javascript). I already used the @aws-crypto/client-node library to do some symmetric encryption using KMS.

import { KmsKeyringNode, encrypt, decrypt } from '@aws-crypto/client-node';

const keyring = new KmsKeyringNode({
  generatorKeyId: "keyid"
});

const { result } = await encrypt(keyring, cleartext);
const { plaintext } = await decrypt(keyring, result);

console.log(plaintext);

My problem using this approach for encrypting password is, that i am still able to decrypt the passwords. I don't need this functionality since i only want to encrypt the passwords and check other strings using the same encryption against those encrypted ones to see if they match.

How would one do this with aws-crypto and KMS?

1
amazon-web-servicesencryptionaws-kms
Not aware that aws-crypto covers the case where you don't need to be able to decrypt the data. Could you just use regular salted password hashes? - jarmod
Educational nitpick: "encryption" is the wrong word to use when you don't want the decryption part (aka "one way encryption"). The word you're looking for is "hashing". - Luke Joshua Park
@jarmod valid question. i just wanted to use a solid encryption/hashing implementation in my aws environment. what would you suggest to use then on nodejs lambdas? bcrypt? - choise
I think bcrypt is quite popular and has a good interface. Or there are solutions that don't require third-party packages, for example ciphertrick.com/salt-hash-passwords-using-nodejs-crypto - jarmod
@jarmod could you please add your suggestions as an answer? makes sense to me not to require aws-crypto at all. will check out bcrypt again. i was hesitant to use it since i had in mind that it needed to compile some native modules back in the day when i used it which,.. failed sometimes on various CI envs. + for suggesting native crypto module - choise

1 Answers

0
votes

The aws-crypto client-side library is primarily aimed at encryption/decryption use cases. If I understand your use case, I think a regular salted password hash would be appropriate.

The bcrypt package is quite popular and has a good interface. Or there are solutions that don't require third-party packages, for example using the native Node.js crypto module.