FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


MD5...





[FuN]goku
i was just wondering... is it possible to crack md5 in php??? my friend said he did it but i dont know if i believe him or not... so... is it?
{name here}
You can, you just need to know the algorithm. To do it is a very time consuming process because the best way to do it is by hand and trial and error. This is because MD5 hashes are not meant to be translated back into readable form, and - just like leetspeak - there are multiple ways to encypt the hash.
[FuN]goku
time consuming??? like how long?? hours?
sonam
Maybe few years. Md5 is a hash algorithm used for creating digital signatures. It is very difficult (allmost inpossible) to retrieve the original string from hashed algorithm.

Sonam
Rhysige
Is it possible to crack MD5 with PHP? in short, NO.
MD5 has not yet been cracked, this doesnt make it impossible to crack individual hashes but not the MD5 encryption as a whole.

You could theoretically write a PHP script to go through ever possible combination of letters to see if one works, this is known as brute forcing.

There are other methods of retrieving the original text from MD5 but as I said no one has yet been able to decrypt MD5 (Except the guys who made it but you think they would tell anyone?)
thnn
MD5 uses a 128bit encryption, which unless you were a skilled hacker would take a long time to hack. If you are wondering about using it on your site, seen it is the internet standard it should be fine. If you are wanted something perhaps more secure try using mcrypt with blowfish or the sha-1 encryption system, with the later being designed by the NSA and the US Government standard. Also with mcrypt you can set your own key, which I recommend using a word, numbers and an MD5 encrypted key for.

Rhysige wrote:
There are other methods of retrieving the original text from MD5 but as I said no one has yet been able to decrypt MD5 (Except the guys who made it but you think they would tell anyone?)


Are you sure they can? I remember reading somewhere that even that cant decrypt a md5 encrypted string.
yjwong
I saw a website long ago, which can actually "decrypt" MD5 hashes...forgot whats the URL though. It works only for strings that contain only alphabets, not numbers.
Rhysige
Thats not decrypting thats Rainbow tables, I do have a website that I will not post here and no dont PM me for it either, that allows you to search its database of MD5 hashes and if its in there it will return the coresponding string.

And im pretty sure the guys who made it could decrypt it, every encryption uses a method, the key to MD5 is that the key used is internal and almost no one knows it or needs to know it so decryption would be guess work on the key.. which for all intents and purpouses is impossible.
Daniel15
Quote:
And im pretty sure the guys who made it could decrypt it


Actually, it's impossible to decrypt an MD5 hash. Why? Because it's a hash. A hash is like an encryption method, except it's only one-way. You can't go back the other way.

This is not a practical example (it's very very simple, actually oversimplified quite a lot), but I thought it would be useful for explaining how hashing works: say for example, you had the number 123456789. A simple way of encoding this would be to add a random number to this (called the 'key'). For example, we could use a key of 1235412. If we add the key to the original input, we get 124692201. From this, we can get the original number (by subtracting the value of the key).

A simple hash would be to add all the digits together (1+2+3+4+5+6+7+8+9=45). From the result (in this case, 45), it's impossible to get the original input (123456789). The only way to get it would be to try every single combination of letters/numbers, and check if the hash is the same (this is 'brute-forcing').

Now, an MD5 hash is much more complex than this, but the theory is still there.

In short: You can't go from an MD5 hash back to an unencrypted string Smile

Quote:
very encryption uses a method, the key to MD5 is that the key used is internal and almost no one knows it or needs to know it so decryption would be guess work on the key

Actually, there is no key used for MD5 (well, there is for MD5 HMAC, but that is again a one-way hashing algorithm. MD5 HMAC is based on MD5, but it uses a key for even more security)
Kaneda
thnn wrote:
Are you sure they can? I remember reading somewhere that even that cant decrypt a md5 encrypted string.


Which is true. The whole point of MD5 and other cryptographic hash functions is that you (theoretically) can't decode them faster than by using "brute force".

It doesn't matter if you know the algorithm to calculate an MD5 hash - anyone who wants to know, can just look it up on the internet.

Hence, the inventor of MD5 (Ronald Rivest) doesn't know any more about the MD5 algorithm than the rest of the world - an implementation is generally about 200-300 lines of code, and such implementations are (obviously, since MD5 is an internet standard, and has been implemented in everything from C over PHP to Javascript) publicly available.

Let's have a little cryptography primer... Smile

MD5 has been shown to be flawed. SHA-1 too. Which doesn't mean, however, that MD5 or SHA-1 are useless. SHA-1 isn't useless at all. And MD5 is not useless for storing, say, passwords. MD5 is, however, beginning to be useless to use as verification of a file's authenticity etc.

There are really two "strength" measures for cryptographic hashes. Each of the following (next paragraphs) "requests" should be infeasible. "I1" and "I2" are inputs, and "H(I1)" and "H(I2)" are the hash value for those inputs. For the "time estimates" in the following, unless noted, we'll use a theoretical supercomputer consisting of 10,000 dedicated hash operation processors, where each could calculate a billion hash operations per second:

1.: "Find two values, I1 and I2, where H(I1) = H(I2). I don't care what I1 and I2 are, as long as they're different". For a 128 bit hash like MD5, that should ideally take about 2.1x10^19 attempts. Our theoretical supercomputer would find an answer in 24 days.

The flaw is, it doesn't. Such "collisions" have been shown to be findable for MD5 on a single standard-equipped computer in a matter of an hour. And due to the way hashes are calculated, once you find a collision, you can actually use those collisions for many different inputs.

For SHA-1, however, taking into account the flaw, our theoretical supercomputer would take about 1.5 - 2 years to find a collision. No idea how long it would take for an ordinary home computer Wink

2.: "Find a value I1, where H(I1) = 1127382173821231231...". This takes much longer than 2.1x10^19 brute force attempts. More specifically, for MD5 it would take about 2^(128-1) = 1.7x10^38 attempts - our supercomputer would find the answer in 5.4x10^17 years - the universe will be gone way before then, and we're talking about a supercomputer... And SHA-1 would take very much longer, even. There's no flaw found in MD5 or SHA-1 for this case. It's simply infeasible to try and find an input value for a given MD5 or SHA-1 output.

So, what this means is, for MD-5, you can find two random inputs, which give the same output, in about an hour (case 1). For various implementation reasons of hash functions, that's very insecure for questions of, say, digital signing. However, it has no impact in the case of, say, password storage, since you still can't take the MD5 of the password and calculate the password itself (or an alternative password giving the same MD5) (case 2).

There are other vulnerabilities to do with password encryption, which make things easier for a hacker, though. The best, and simplest, way to up security is by using (either or both) a fixed salt (like the name of your site) or a userdata salt (as in, combine, say, the username with the password, and then send them through MD5).

Without a salt, if a hacker somehow gets a dump of the MD5's you've stored for password validation, he can easily find passwords (by people who never heard of "secure passwords", but use things like "fred" or "password"), by letting a program go through a dictionary of MD5's for common passwords.

So, if the program found the value:

5f4dcc3b5aa765d61d8327deb882cf99

... it would know the password to be "password", since that's the MD5 for "password" in every single case.

With a salt, however, the MD5 which holds your user's password won't match that value. If you simply used the salt "www.mysite.com", the actual input value for MD5 being, say, "www.mysite.com,password", the value would be:

7725bc2b8ab3931e2c2172d44bee17c3

... which such a dictionary wouldn't list. If the hacker knew your salt, he could create a new dictionary based on it, and use that instead. If you used the username + the password and MD5'd that, even if the hacker knew, he'd have to create a new dictionary for each user, upping the time spent on hacking even more. If the hacker doesn't know the way you're salting, however, he'll be pretty much helpless. Wink

And while I was writing, daniel gave the short concise version Wink

[EDIT: seed -> salt]
[FuN]goku
woah..... now i really dont believe my friend made an md5 cracker.... but i did manage to find a site that cracks md5 in a few hours... i wont post the link.. but i took the md5 of something that i knew what it was and they got it right.. so...
Daniel15
Quote:
The best, and simplest, way to up security is by using (either or both) a fixed salt (like the name of your site) or a userdata salt (as in, combine, say, the username with the password, and then send them through MD5).


Yeah, using salt like the username is quite good (I know some people that salt it with the md5 of the username Smile).

Either that, or do a 'double MD5' (not sure of the real name of it). Basically:
Code:

$encrpyted = md5(md5($password));


That would be quite hard to crack Wink For example, if the password was 'password', the hash stored would be the MD5 has of 5f4dcc3b5aa765d61d8327deb882cf99 Razz
openaasman
i am also looking for same solution. if u get it just let me know
openaasman
can u name any other encription algorithm except md5
n0obie4life
Okay this is enough.

Discussions on hacking are not allowed in Frihost.

-close-
Related topics
Free Hosting-Availability
How To : Secure Your PHP Website
Base64 Encoding/Decoding
Sessions
MD5 Hashing
How to use MD5 in PHP !
md5 encryption not reliable.
Decryption of text excrypted using md5() and crypt() tags
problema - md5
md5() Password Protection
Are u up for the hack? - MD5 with salt
MD5 Hash
checking md5 hash
after burn cd should use verify md5 software tool.
This topic is locked: you cannot edit posts or make replies.    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.