MD5 Alive?

I'm hoping I can find somebody who might know about the guts of MD5 ,
really on a platform or implementation independent way.

Background: I've got an existing web app (Perl/CGI) chugging along
doing its thing. It's been happy for some time now. I'm relying on MD5
to give me a unique value for a password, data (m/d/y), some other
flags, prefereneces, or status as to what the user is doing all told
about 70-80 characters. I'm not relying solely on MD5 for password
authentication. I have other alogrithmns being used for that. This has
nothing to do with on-line commerce. If the user submits a form either
one or all of the following could be wrong: username, not todays date,
my code may not be able to understand where they are. I find something
wrong I reset user has to relog in and starts from the beginning. What
has become a nice little artifact of this is that users have to relog
in everyday.

So I was young back then I choose to use authentication over the use
of cookies. I'm not going to update this to change, but as I ponder my
next design for the current client I do have opportunity to try
something new. Though I'd rather not. So MD5:

From what I've heard and gotten as feedback I think I'm isolated from
the vulnerabilties of MD5? (Q1. True or False). In general, its a low
risk that anybody is go looking into the source and see the hidden
fields. It's an even less of a risk that somebody would even think I'm
doing MD5 for this. I was young back then :) Also in the grand scheme
things not that major user log in is not impacted password is
maintained under another encryption function of the database itself.
Worse case user will avoid logging in each day or confuse my script as
to what there doing. There's nothing for them to see that they can't
see now.

So now as I ponder my new design I would be interested in answers to
the following questions, and it sounds like I just stumbled onto a
site that might be able to answer them:

What's even better (I think?) is that I've got a twist on MD5. I'm
running the digest 25 times on itself, breaking the digest into 2
parts and inserting a known string (like a salt) in between the parts
and rerunning it another 25 times all 3 reassembled pieces(original
first, my salt, and original second). Am I interfering with the nature
MD5 by doing this and losing anything it's giving me, by doing this do
I run the risk of not getting a unique value from MD5? (Q2 Yes or No).

I've visited one of those cracker sites. I've ran MD5 a 5-6 times on
itself and they were able to tell me what my previous digest was and
eventually back to the original Ok fine. I ran it 1250 times on itself
and they weren't so successful.

I've gotten a detail implmentation of MD5 which matches what the
cracker site tells me, and the results both match for "abc" (just for
fun). I also have a detailed write up as to MD5's working. I might
just fall in love with this. Now instead being in some library
somewhere I have a sense of control of it and I know my host won't
take it away from me. As I read it there are 4 functions that are used
each "round" summarized below:
1. AND(x,y) OR AND(Notx, y)
2. AND(x,z) OR AND(Notz,y)
3. EXOR (X,Y,Z)
4. EXOR(Y, (AND (X, NotZ)
Sorry, notation's not the best but hopefully you can decipher. So what
if I changed the order of the functions like did 2,1,3,4. Can I louse
up MD5 so that it won't be effective in producing unique digest (Q3.
Yes or No)? What about if changed or scrambled what x, y, z like kept
the calculations the same like made my z into x, y into z, and x
became y? (Q4. Rearrange the letters hurts MD5?).

I'm guessing I could really louse up MD5 -- if I really got in there
and started playing around with it. As I do gaze into the future I do
like authentication over cookies although the latter will probably win/
has won out. I don't need a 128 characters of output. If I could
shorten that maybe do some different operations within the MD5
algorihtmn and not compromise it I might be able to make good use of

Sorry, this inevitably brings up a debate between the use of cookies
and authentication to maintain state in HTML documents. I do admit
that cookies are better and they will win :<, but please don't blame a
guy for trying or thinking. In my brief of your site sounds like this
is what you folks do anyway.


Relevant Pages

  • Re: Byte to byte compare, duplicate file finder/killer
    ... RFC 1321 - The MD5 Message-Digest Algorithm ... message having a given prespecified target message digest. ... static void Encode PROTO_LIST ... unsigned int i, index, partLen; ...
  • Re: openbgpds not talking each other since 8.2-STABLE upgrade
    ... option on the listening sockets. ... having BGP sessions to an ISP with md5 and a session between themselves without md5. ... tcpdump showed packets with md5 digest fields all zeroes. ...
  • MD5 Myths
    ... put together a PERL/ CGI web application kind of like a blog type ... did then - MD5 which I leaned on for support has not withstood the ... Ok so I'm deciding whether to put more trust in the MD5 digest to do ... Considering a case of 80 random characters, ...
  • Re: md5 in C
    ... This code implements the MD5 Algorithm defined in RFC 1321. ... int main ... int FileMd5(char *FileName,md5_byte_t *digest) ...
  • Re: MD5 Myths
    ... That's an over-broad indictment of MD5. ... ways to deliberately create collisions; ... found ways to create source strings that will hash to a ... in the MD5 digest to do more and/ or redesign ...