Using MD5, MD4 or SHA1 Hash to secure a web page
Rohit Nirmal
The MD4, MD5 and SHA-1 algorithms are all secure functions. They take a string as input and produce a fixed size number, 128 bits for MD4 and MD5, and 160 bits for SHA-1. This number is a hash of the input which means that a small change in the input results in a substantial change in the output number.
It is the characteristic of hash function that it is almost impossible to determine the string from its hash, while it is very easy to compute the hash of any string.
So, these functions are considered secure meaning that it requiers an enormous amount of computing power and time to find a string that hashes to a chosen value. In other words there is no way to decrypt a secure hash.
Secure hashes are used in digital signatures and challenge hash authentication.
You can download free Javascript implementations of all three alogorithms from sites on the web.
Demonstation
Input any string and get its hash by clicking on a buttion below.
calcMD5("hello") = "5d41402abc4b2a76b9719d911017c592"
calcMD4("hello") = "866437cb7a794bce2b727acc0362ee27"
calcSHA1("hello") = "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
Now try changing your input string to "gello". You will get the following result:
calcMD5("gello") = "eebc55db607dc752a7c115e1a3e2e3ff"
So, we found that a small change in the input resulted in a huge change in the output number.
Using MD5 to secure a web page
MD5 can be used to implement a log-in form on a web site which has web space account with no SSL capability.Let us suppose that we have decided that the password will be "encrypt". So, you use the facility given above to find MD5 hash of "encrypt". It comes to "53c82eba31f6d416f331de9162ebe997". So, in the Javascript code on this page in method "verify()" I am comparing the hash of the string entered by the user with "53c82eba31f6d416f331de9162ebe997". If they are equal this means that the user entered the correct password, and we poup a window with text "Great! You have entered a valid password!".
Note that we have mentioned the word "encrypt" above. But on a real log-in form the password in clear form will not be mentioned either on the page or in the Javascript code on the page.
The user can display the source of the page and find that we are comparing a string to "53c82eba31f6d416f331de9162ebe997" but from this string he can not retrieve the password.
However, you must understand that one caveat with using Javascript cryptography is that it only protects you against passive eavesdropping. A malicious attacker who can modify network traffic can intercept the transmission of the Javascript code and replace it with code that does not verify the password entered and lets the user go ahead with using the system as if he entered the correct password.
Storing password or its hash in a database table
Many applications have a table where the user ID and passwords are stored. If you store the password, the danger is that any programmer can dump the table and read the password of any user. So, the best strategy is to store the hash of the password. When user enters the password, the Javascript code on the page calculates the hash and sends it to the server. The server compares it to the hash of the correct password stored in the database. If they match, the server allows access.Some guidelines for building secure client server application using Javascript
First the web server sends a random variable to the client. The client, i.e. Javascript code, asks the user for the password and makes the MD5 hash of the random variable and of the password. It sends this to the server. The server makes the MD5 hash of the random variable and of its stored password. If the two hashes match, then the user knows the correct password and the server allows access. Notice that at no point was the password transmitted in the clear. An eavesdropper won't be able to do a replay attack as the server will then expect a different random variable.** The End **