

jsSHA - A JavaScript Implementation Of The Entire Family Of SHA Hashes - Hirvesh
http://caligatio.github.com/jsSHA/

======
dguido
Who is this person and why are they qualified to write this library?

AFAIK, Stanford is generally accepted to have the most reliable JS crypto
library, though all of them are broken as all hell and not usable in anything
but toy applications.

<https://crypto.stanford.edu/sjcl/>

~~~
Cyranix
Can you clarify "broken"? In this context there is a world of difference
between "inaccurately implemented" and "slow".

~~~
hdevalence
There's a nice article here:

<http://www.matasano.com/articles/javascript-cryptography/>

that explains some of the issues with JavaScript-based cryptosystems.

~~~
saurik
Note: these arguments only apply to JavaScript in a browser (and at that
point, apply to virtually any client-side system attempting to somehow protect
information from being snooped on by the server that dynamically provides the
code to execute on the client <\- an idea that should have been preposterous
from the start ;P).

------
haclifford
The google closure library has sha1 and hmac support as well - well worth
checking out

[http://closure-
library.googlecode.com/svn/docs/namespace_goo...](http://closure-
library.googlecode.com/svn/docs/namespace_goog_crypt.html)

------
StavrosK
Isn't it well past time browsers got a standard crypto library that couldn't
be overridden? Are there any vulnerabilities in that scheme?

~~~
anonymous
You mean like SSL/TLS?

~~~
StavrosK
No, a library with crypto primitives that Javascript can access.

~~~
jtdowney
The W3C has a crypto API draft at: <http://www.w3.org/TR/WebCryptoAPI/>

~~~
StavrosK
Fantastic, that's very promising.

------
shin_lao
I'm sorry, but the "entire family of SHA hashes" is incorrect as SHA3 isn't
present.

------
Hirvesh
via Functionn - Open Source Resources For Web Developers & Designers:
[http://functionn.blogspot.com/2012/07/jssha-javascript-
imple...](http://functionn.blogspot.com/2012/07/jssha-javascript-
implementation-of.html)

P.S. Functionn contains a whole lot more of awesome resources like jsSHA.
There only a fraction of them I can post here at a time. Take a look if you're
interested, and subscribe:

<http://functionn.blogspot.com>

~~~
daeken
Looking at your comment history, 99.9% of it is links to your own blog. While
HN is generally not against self-promotion, you should probably tone it down;
I'd be very surprised if it didn't end up getting you banned, as it looks a
whole lot like spamming (and really, it is). That said, keep up the good work
with your blog, just chill a bit on the constant links.

~~~
Hirvesh
thank you for the kind words for the blog!

Will take your advice and try not to post too many link. Will try to
contribute more to the HN communityin other ways :-)

------
robbles
What would you use an HMAC generated in JavaScript for? I'm trying to think of
uses that wouldn't be completely insecure, but I'm coming up empty. You need
to have the key client-side, so what's the point?

~~~
hexasquid
I imagine this is not sent to the client, and is used for serverside
JavaScript applications.

~~~
pjscott
In server-side JavaScript, you'd typically have easy access to non-JS crypto
libraries. In node, you have the crypto package, which is a thin wrapper
around OpenSSL. In Rhino, you can use Java libraries like Bouncy Castle. And
so on.

------
karanlyons
Also (shameless plug), if you want to use murmurHash3 in JavaScript:
<https://github.com/karanlyons/murmurHash3.js>

~~~
Hirvesh
looks interesting, how does it compare to SHA hashes?

~~~
djcapelis
MurmurHash isn't secure and isn't intended to be. The algorithm is intended
for fast non-cryptographic hashing for non-secure hashing needs. Whether or
not people will use them only in cases where they really don't need any
security in their hash (an attacker could cause a denial of service or a
slowdown of service by degrading the performance of core data-structures if
you use a non-secure hash function against untrusted inputs in the wrong
contexts) is somewhat up in the air.

That said, it's being used by real applications in production, so the niche is
definitely there, but for anything that needs any level of security you should
continue using a secure hash algorithm, of which the unimaginably named SHA
family provides a good set of standard algorithms. Using a secure hash every
place you need a hashing algorithm unless you _know_ you'll need the extra
perf and _know_ you can get away with it is probably a reasonable practice.

~~~
pjscott
You might also be interested in SipHash, a cryptographic MAC that's fast
enough to use in hash tables. If you want to avoid those denial of service
attacks, it's a good candidate.

<https://www.131002.net/siphash/>

------
cburgmer
I started using it last week to calculate a fingerprint of a set of files
(<http://cburgmer.github.com/csscritic/>)

------
ImJasonH
There's also a proposal to have crypto added as a native API.

<http://www.w3.org/TR/WebCryptoAPI/>

