Paj's Home: Cryptography: JavaScript MD5

JavaScript MD5

Introduction

The MD4, MD5 and SHA-1 algorithms are secure hash functions. They take a string input, and produce a fixed size number - 128 bits for MD4 and MD5; 160 bits for SHA-1. This number is a hash of the input - a small change in the input results in a substantial change in the output. The functions are thought to be secure, in the sense that it would require an enormous amount of computing power to find a string which hashes to a chosen value. In others words, there's no way to decrypt a secure hash. The uses of secure hashes include digital signatures and challenge hash authentication. This document is a good introduction to hashes

News: An alpha release is available for the next version of the MD5 and SHA1 scripts. They now support utf-8 input encoding and output in any arbitrary encoding. Also, the information about writing a login system has been much expanded, although the online example is not currently working.

Demonstration

hex_md4("test hash") = "549089516e75bd13c41ff098fbb58d5e"
hex_md5("message digest") = "f96b697d7cb7938d525a2f31aaf161d0"
hex_sha1("160-bit hash") = "90d925d853c3d35cd54070bb75280fefad9de9e7"

The Scripts

MD4	download v2.1	view source	RFC 1320	old v1.1	(originally by Jerrad Pierce)
MD5	download v2.1	view source	RFC 1321	old v1.1
SHA-1	download v2.1	view source	FIPS PUB 180-1	old v1.1

The code works with most JavaScript implementations; Andrew Kepert has written a browser compatibility test with on-line results.
It also works with other ECMA-script compatible languages, such as ActionScript.
MD4 is not considered as secure as the alternatives.

Quick instructions

First download the appropriate files from the links above. Save them in the same directory as your html file and insert a tag like:

<script type="text/javascript" src="md5.js"></script>

When you want to calculate a hash, use:

<script type="text/javascript">
    hash = hex_md5("input string");
</script>

or md4/sha1 appropriately. These functions return the hash in hexadecimal. The library can also generate HMACs for all three algorithms.

Also, Alejandro Gervasio has written a great set of articles walking you through creating a login system. See parts one, two and three.

Recently Discovered Weaknesses

Some weaknesses have recently been discovered in the MD5 and SHA-1 algorithms (more information). The hashes are designed so it is very difficult to find two messages that produce the same hash, this is called "collision resistance". Because MD5 is 128-bit, by random chance you will find a collision by producing 2⁶⁴ hashes. The weakness in MD5 is that a way has been found to produce such collisions with only 2⁴² hashes. This makes producing collisions practical and I have seen an example of 100 different collisons.

The use of MD5 or SHA-1 for most JavaScript purposes (e.g. challenge-response login) does not rely on the collision resistance property. These weaknesses do not create any vulnerability in such web sites and there is no need to panic. If these weaknesses do concern you, there are alternative algorithms available:

JavaScript RIPEMD-160 by Jeremy Lin
jsSHA-256 by Angel Marin

Uses of hashes

Challenge hash authentication - a simple way to protect passwords during login.
One time passwords - a neat way to use a different password on every website, without having to remember them all.
Generating unique id numbers, e.g. from an email address
Harvesting entropy, e.g. squashing a passphrase down to a 128-bit cipher key
Data integrity and message authentication codes
Bit commitment, e.g. this logic game by Thomas Lussnig. Here the server sends a hash to the client, which commits it to a particular choice of secret colours, but without revealing what the colours are.
One-way encryption of passwords
To make a pseudo symmetric-encryption algorithm

Limitations of JavaScript Cryptography

Over the web, JS cryptography can only protect against passive eavesdropping, as the JavaScript itself is downloaded over an insecure link. If an attacker can modify network traffic, they can make malicious changes to the JavaScript code.

In any case, JS interpreters are not designed for secure programming. They may leave sensitive information lying about in memory. They're too slow for some algorithms, e.g. BSD-style MD5 passwords, or RSA with full-size keys. Bitwise operations are buggy in several implementations.

Here is some information on benchmarking the hash functions.

Users of my Script

Yahoo used it for non-SSL logins, around 2001 - 2006.
Guardian Unlimited use it for registered user login.
Paradigm Healthcare use it for admin logins. One of their engineers contributed a bug fix to the base-64 routines.
The Captchas project.
vBulletin
netjukebox
PBKDF2

Hash code in other languages

Automation Object (ActiveX, COM) by Don Arsenault *
Java by Thomas Weber *
Miva by Petr Kutil and Ivo Truxa *
MS SQL2000 by Adrian Sindile and Richard Vencu *
This lets you to calculate MD5s in an SQL Server database, without needing any additional DLLs.
PL/SQL MD4 and MD5 by Keith Gardner
Progress by Lee Bourne *
RFC 1320, RFC 1321, FIPS PUB 180-1
SQL Server by Oren Novotny
VB Script wrapper by Ian Brennan *
.NET version by Patrik Lundin
Java SHA-1 by Tomer N. Silverman
Javascript::MD5 and JavaScript SHA-1 - Perl modules by Ron Savage.
ActionScript Class by Andrea Giammarchi
PHP by Borfast. Later versions of PHP have a built-in function. *

The ones marked * are based on my code.

More JavaScript Cryptography

There is a lot of low-grade JS crypto about, but these links are all to relatively high-grade algorithms:

RSA public-key cipher.
Rijndael symmetric cipher - extremely secure - also known as AES.
L'Ecuyer/Bays-Durham secure pseudo-random number generator.
Another JavaScript MD5 by Masanao Izumo
MD5 in a JavaScript object. Version A by Andrew Collins and Version B by Kai Meder
MD5 using JavaScript prototypes, by Felipe Gasper
Example of using the MD5 code in JSP by Josh Martin