Faster MD5 Javascript Library

Most passwords are hashed or one way encrypted when stored for added security. This makes it difficult for an attacker to retrieve the original password through accidental or malicious access to the database as there is no way to decrypt it directly.

Unfortunately this approach is still susceptible to rainbow tables, where you use an already generated table of password combinations and their hashes to quickly look up the original password from the hash. Due to this, most systems have implemented salts to their hashes by either appending a string to the password or the hashed string and hashing it again before storing. By using salts, the rainbow tables that would be required to perform such a look up would have to be exponentially larger making it impractical.

Finally, these passwords still end up prone to another attack that is unavoidable, which is brute force attacks, where a user goes through all possible combinations computing their hashes the same way your system would, and doing this till it ends up with a match. For this, the only thing we can do is slow them down, by either forcing more complicated passwords (uses upper/lower case, numbers, symbols) and/or implementing what is called key stretching.

Key stretching works essentially by rehashing the password many times and salting it with the previous hash, and obviously starting the process by hashing it with a randomly generated salt string that is stored along with the final hash to prevent rainbow table attacks.

Now you can either do the key stretching server side, client side or both. Unfortunately if you opt for any form of client side, the currently most popular MD5 javascript implementation is slow for this, making it difficult to do more than few hundred iterations on IE8 without hanging a user’s browser for an extend amount of time. Due to this I set out to extend/modify that library in an attempt to make it faster, as well as optimized for this task, and this is where MD5 Ex comes in.

Most of the optimizations I did involved reducing the number of function calls by making some code more repetitive (made a huge difference in some browsers), made a stretch function that avoids converting the hash to hex only to convert back to binary for each iteration, as well as benchmarking various different approaches to certain equations.

Thanks to these optimization, not only is key stretching 150-400% faster, a normal MD5 hash is up to 164% faster in my benchmarks.

You can download the script, see all my benchmarks and get a more in depth explanation of everything here.


This entry was posted in Javascript, Security and tagged , . Bookmark the permalink.


Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>