You have a command-line interface for which you have access to all of the hash algorithms available to a Node.js user to create a hash of their data. Before you distribute this application, you want a better understanding of each of the algorithms.
Solution
The solution for this is actually quite simple. You are going to build a list of the available hash algorithms that are currently present in Node.js. You will then see a breakdown of how many of these hashes are designed and what their common uses are in the How It Works section. First, you will build a list of the hashes, as shown in Listing 6-1.
Chapter 6 ■ ImplementIng SeCurIty and Cryptography
Listing 6-1. Building a List of Hashes Available in Node.js /**
* Hashes */
var crypto = require('crypto'), hashes = crypto.getHashes(); console.log(hashes.join(', '));
You now run this code to get the full list of available hashes for Node.js. Listing 6-2. Available Hashes in Node.js
$ node 6-1-1.js
DSA-SHA1-old, dsa, dsa-sha, dsa-sha1, dsaEncryption, dsaWithSHA, dsaWithSHA1, dss1, ecdsa-with-SHA1, md4, md4WithRSAEncryption, md5, md5WithRSAEncryption, mdc2, mdc2WithRSA, ripemd, ripemd160,
ripemd160WithRSA, rmd160, rsa-md4, rsa-md5, rsa-mdc2, rsa-ripemd160, rsa-sha, rsa-sha1, rsa-sha1-2, rsa-sha224, rsa-sha256, rsa-sha384, rsa-sha512, sha, sha1, sha1WithRSAEncryption, sha224,
sha224WithRSAEncryption, sha256, sha256WithRSAEncryption, sha384, sha384WithRSAEncryption, sha512, sha512WithRSAEncryption, shaWithRSAEncryption, ssl2-md5, ssl3-md5, ssl3-sha1, whirlpool
Some of these are deprecated (for example ‘DSA-SHA1-old’) or are not truly cryptographic hash functions but rather other cryptographically useful implementations. That is to say, an RSA encryption is not truly a hash function, but it can be utilized in a way that leverages a hash. In this section you will focus on the Digital Signature Algorithm (DSA), Message Digest (MD4, MD5, etc.), Secure Hash Algorithm (SHA), and WHIRLPOOL hash functions, their uses, and potential vulnerabilities.
How It Works
This works by utilizing the Node.js crypto module. This module is built to provide a robust implementation of many of the cryptographic needs you might encounter when building your Node.js application. The getHashes method is a shortcut to list all the available hashes, which is a list of the OpenSSL hashes that are available on the platform that is running Node.js.
Before you begin using these hashes in your application, it is important to note how they work and what they are good for; the following subsections will break down the most common algorithms and their features. In general a cryptographic hash is a way to encrypt data, or a message, into a fixed-length digest, known as the hash. This fixed-length digest will serve as a signature or fingerprint representing the original data that hashed, without divulging the contents of the original data. What follows is a listing of the common algorithms and their functions.
DSA
This type of encryption can encode data that were originally proposed by the National Institute for Standards and Technology for the DSS (Digital Signature Standard). Because of this, these two abbreviations are sometimes used interchangeably. It should be noted that the DSA is not directly a hash but utilizes a hash function to generate the encrypted value. This hash function was originally designed to utilize SHA-1, but SHA-2 has also been used; you will read more about these hash functions later.
Chapter 6 ■ ImplementIng SeCurIty and Cryptography
MD4
The MD4 hash is still used, but in many cases it has been supplanted by MD5 and other more advanced hashing algorithms. It has been designated as obsolete. MD4 was designed to execute fast. What it does is to accept a message and encrypt it into a 128-bit digest.
The MD4 is not strong on security. Shortly after its creation, it was found to be highly probable that there would be hash collision. This means that even though slight variances in the original messages usually create a unique hash, there are several proofs and methods in which creating the same hash from multiple messages can occur. Because of this, the algorithm was improved in the MD5 specification.
MD5
The MD5 is the progression of MD4, in order to improve the security of the hash. It again produces a 128-bit hash, but it sacrifices the speed of the algorithm, albeit slightly. The main difference you will see from MD4 is that MD5 introduces a fourth auxiliary function that is used to process the intermediate steps of the hashing. These functions also contain some additional constants and slight variances from MD4 in order to make the hash more secure.
All of that said, the MD5 hash is still not secure because it is still prone to collision and thus collision attacks. However, it is still very popular for validating file integrity, or checking for changes in files. There are various other uses for MD5, including the universally unique identifier (UUID version 3) and CRAM-MD5 (a challenge-response authentication), among others. As stated, it is still a sound hashing algorithm but because of its security vulnerabilities it should be avoided for hardened security applications, or actions like securing an SSL connection.
RIPEMD
There are several variants of the RIPEMD message digest that are based on the MD4 algorithm in its initial design. The most common RIPEMD implementation is RIPEMD-160. A later generation variant of the original 128-bit hash, it creates a 160-bit hash just like SHA-1. RIPEMD-160 does not currently have any cases of collision vulnerability as it is also expected to remain secure for perhaps another decade. RIPEMD-160 is slightly slower than SHA-1, which may be one reason why it is not as widely utilized. It is however used in Pretty Good Privacy (PGP) encryption. Another reason why RIPEMD is not widely used is that it is not marketed as the de facto standard like SHA-1 is by the National Institute for Standards and Technology.
SHA
SHA is available in several variants, most of which are available in Node.js.
The original SHA algorithm, now known as SHA-0 and available as sha in the Node.js getHashes function, is a 160-bit hash that is known to have collisions possible. For this reason it has fallen out of popularity to be replaced by the later versions of the algorithm.
After SHA-0 came SHA-1, which is still one of the most widely utilized cryptographic hash functions in computing today. Like SHA-0 before it, SHA-1 also creates a 160-bit digest. SHA-1 is used in nearly all of the most popular secure software protocols today. It is used in Secure Sockets Layer (SSL), Secure Shell (SSH), TLS, and IP Security (IPsec) protocols, among thousands of other implementations that include hashing files in the Git version control systems. However, it has been theoretically shown that SHA-1 has collision vulnerabilities, so there have been efforts to create an even more secure hashing algorithm based on SHA-1.
SHA-2 is an envelope name for SHA-256 (256-bit digest), SHA-224 (224-bit digest), SHA-384 (384-bit digest), and SHA-512 (512-bit digest) all of which are available for use in Node.js. These represent evolutions from the SHA-1 algorithm. The 224-bit variety is a truncation of the 256; likewise, the 384 is a truncation of the 512.
The SHA-2 hash is already implemented in many of the same places that SHA-1 is, including SSL, TLS, PGP, and SSH. It is also a part of the bitcoin hashing methods as well as next-generation password hashing on many platforms.
Chapter 6 ■ ImplementIng SeCurIty and Cryptography