- From: JuiceMan <jaysgeneral@xxxxxxxx>
- Date: Sun, 19 Aug 2007 17:07:22 -0700
I'm hoping I can find somebody who might know about the guts of MD5 ,
really on a platform or implementation independent way.
Background: I've got an existing web app (Perl/CGI) chugging along
doing its thing. It's been happy for some time now. I'm relying on MD5
to give me a unique value for a password, data (m/d/y), some other
flags, prefereneces, or status as to what the user is doing all told
about 70-80 characters. I'm not relying solely on MD5 for password
authentication. I have other alogrithmns being used for that. This has
nothing to do with on-line commerce. If the user submits a form either
one or all of the following could be wrong: username, not todays date,
my code may not be able to understand where they are. I find something
wrong I reset user has to relog in and starts from the beginning. What
has become a nice little artifact of this is that users have to relog
So I was young back then I choose to use authentication over the use
of cookies. I'm not going to update this to change, but as I ponder my
next design for the current client I do have opportunity to try
something new. Though I'd rather not. So MD5:
the vulnerabilties of MD5? (Q1. True or False). In general, its a lowFrom what I've heard and gotten as feedback I think I'm isolated from
risk that anybody is go looking into the source and see the hidden
fields. It's an even less of a risk that somebody would even think I'm
doing MD5 for this. I was young back then :) Also in the grand scheme
things not that major user log in is not impacted password is
maintained under another encryption function of the database itself.
Worse case user will avoid logging in each day or confuse my script as
to what there doing. There's nothing for them to see that they can't
So now as I ponder my new design I would be interested in answers to
the following questions, and it sounds like I just stumbled onto a
site that might be able to answer them:
What's even better (I think?) is that I've got a twist on MD5. I'm
running the digest 25 times on itself, breaking the digest into 2
parts and inserting a known string (like a salt) in between the parts
and rerunning it another 25 times all 3 reassembled pieces(original
first, my salt, and original second). Am I interfering with the nature
MD5 by doing this and losing anything it's giving me, by doing this do
I run the risk of not getting a unique value from MD5? (Q2 Yes or No).
I've visited one of those cracker sites. I've ran MD5 a 5-6 times on
itself and they were able to tell me what my previous digest was and
eventually back to the original Ok fine. I ran it 1250 times on itself
and they weren't so successful.
I've gotten a detail implmentation of MD5 which matches what the
cracker site tells me, and the results both match for "abc" (just for
fun). I also have a detailed write up as to MD5's working. I might
just fall in love with this. Now instead being in some library
somewhere I have a sense of control of it and I know my host won't
take it away from me. As I read it there are 4 functions that are used
each "round" summarized below:
1. AND(x,y) OR AND(Notx, y)
2. AND(x,z) OR AND(Notz,y)
3. EXOR (X,Y,Z)
4. EXOR(Y, (AND (X, NotZ)
Sorry, notation's not the best but hopefully you can decipher. So what
if I changed the order of the functions like did 2,1,3,4. Can I louse
up MD5 so that it won't be effective in producing unique digest (Q3.
Yes or No)? What about if changed or scrambled what x, y, z like kept
the calculations the same like made my z into x, y into z, and x
became y? (Q4. Rearrange the letters hurts MD5?).
I'm guessing I could really louse up MD5 -- if I really got in there
and started playing around with it. As I do gaze into the future I do
like authentication over cookies although the latter will probably win/
has won out. I don't need a 128 characters of output. If I could
shorten that maybe do some different operations within the MD5
algorihtmn and not compromise it I might be able to make good use of
and authentication to maintain state in HTML documents. I do admit
that cookies are better and they will win :<, but please don't blame a
guy for trying or thinking. In my brief of your site sounds like this
is what you folks do anyway.
- Re: MD5 Alive?
- From: Ertugrul Soeylemez
- Re: MD5 Alive?
- Prev by Date: Re: Password vault software
- Next by Date: Re: Password vault software
- Previous by thread: Re: Soon 2bx husband snooping in email
- Next by thread: Re: MD5 Alive?