JavaScript Hashing

There are a number of hashing algorithms that many people get cnfused with encryption algorithms. On his web site, Paj from Leeds in England has Javascript MD4, MD5 and SHA1 hashing scripts that he has made available for anyone to use. While a JavaScript implementation of these hashing algorithms is interesting for anyone who wants to see how to implement this type of code, the use of such scripts in JavaScript is not very practical.

One of the biggest problems with such scripts is that while it may make a particular code almost impossible to crack, it does nothing whatever to stop the code frim being completely bypassed.

For example, let's assume that you use one of these hashing scripts to place an "encrypted" version of a password into your page for testing against. The person requiring access enters the password and it is fed through one of these routines in order to create the version to compare with that hard coded into the page. Unless this is just a client side test that is going to be repeated on the server then this does little to block anyone from accessing whatever it is supposed to be protecting as it is a relatively trivial task to override the JavaScript in a web page with your own version that does not include that test. The simplest way to do this (for those who don't know how to install their own userscripts into web pages) is to copy the page to your computer and manually delete the code that you want to skip over.

The problem with hashing algorithms like this is that they are a form of one way encryption. It is impossible to determine what the original value was that was fed into the script to produce a given result. While you may be able to use a brute force approach to feed millions of different values in to find a value that works, there are multiple values that all give the same result and there is no way to tell if the specific value that has been found is in fact the one that was intended.

Hashing scripts such as these ones (particularly sha1) are useful on the server for hiding passwords etc so that only the individuals who have accounts will ever know what their password is (since only the encrypted version is coded in the database). Since the script to do the hashing and comparison runs server side there is no way for anyone to bypass the test without bypassing the server security and gaining access to the server such that bypassing that code becomes unnecessary. Apart from prevalidating a password before passing it to the server (and lessening the security of the password by providing information about the hashed equivalent) such scripts serve no purpose client side.

To be able to provide any effective protection client side a two way encryption is needed since you need a way to only provide access to content when a valid password is entered and hence need to be able to hold that content in an encrypted format that is capable of being decrypted in order to gain any sort of protection at all client side. Since hashing algorithms cannot be decrypted back into their original values they are therefore useless in providing any form of protection whatsoever.

I am unable to think of any useful purpose for hashing scripts written in JavaScript other than for learning how they work. Can you think of any way in which such scripts could be used to increase rather than decrease security? If so then please join the discussion.