Cryptography in JavaScript, Whatever Next?

• By Matt Stephens
• March 25, 2006

It never ceases to amaze me the ingenuity with which programmers manage to push the envelope with JavaScript. Of course, the advent of AJAX is forcing the issue, and placing all sorts of unexpected new requirements on this poor old "quick n’dirty" browser scripting language. You can pretty much guarantee that right now, yet more ingenious scripts are being devilled up, to squeeze the thick client that bit further into our browsers. As they might say, "where there’s a need, there’s a nerd."

So anyway, just in case you don’t want to send stuff over the network in clear text, and HTTPS is rather overkill for what you’re trying to do (e.g. just protect a single field), this resource by Paul Johnston could be just the ticket.

As its name suggests, the JavaScript MD5 script is a JS script for creating MD5 hashes. There’s also an SHA-1 script available from the same page. The same site also has an interesting discussion on using hash scripts to protect login passwords – probably the most common use of hash scripts on the web.

Of course, MD5 and SHA-1 are both deprecated, as it was discovered that it’s easier than previously thought to create "collisions" (i.e. the same hash result from two different inputs). Luckily, use cases such as challenge-response login don’t rely on a hashing algorithm’s collision resistance property, as such. And hey, it’s still better than sending plain text, if that’s the alternative.

Meanwhile, if multi-purpose JS libraries are your thing, dojo.crypto includes an adaptation of Paul Johnston’s MD5 script; and it also includes a from-scratch implementation of Blowfish.

As the author says: "Unsigned integer-based bit math in JavaScript is not fun, not one bit" – just proving how clever programmers are having to be, in order to solve these problems in JavaScript. It’s a brave new AJAX world out there.