Re: reverse MD5 ???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am not really interested in reversing MD5 and I sure as hell hope its not
easy to do for a LONG time to come as we use
it in some of our licensing, for software we sell.....BUT the below text was
some good reading none the less.
I'm gonna copy and save the below text for the next client who asks me "
since you are using it with my credit card,how safe is MD5 anyway?"
:-p

Thanks mate!

If i get time maybe even put it on the website we sell the software from
(Tom, write to me if you object to this as its your text) even if your
calculations are slightly off (dont know if they are..I have trouble
counting higher than a few million :-) ), you convinced me!

Cheers,
Ryan

> In the general case, no reasonable amount of processing time will
> reverse it since (AFAIK) you have to brute force test all possible
> values, though for very short text it can sometimes be done, and there
> are online databases out there.
>
> For the OP, this is part of what it means to use a hash or digest (MD =
> "message digest") as opposed to an encrypted value.  The conversion
> from the original text to the hash is one-way and as a general rule
> cannot be reversed except by trying every possibility for the original
> text, which becomes an astronomical task with even very small text
> lengths.  For example, for text using a-Z, A-Z, and 0-9, there are 218
> trillion possible 8-character values (62 ^ 8) and 839 quadrillion
> possible 10-character values.
>
> Imagine MD5 (this is a very crude analogy) as taking a letter, tearing
it up into tiny pieces, rearranging them according to some complex
predefined algorithm, then selecting a hundred or so pieces with
individual letters on them and putting those together as a code, and
burning the rest.  There is no way you can reproduce the letter from
the code, except in the limited case where the letter is very short and
your code actually incorporates all the pieces.

I believe the places where MD5 can be broken by brute force are where
common words or phrases are used -- then it is possible to create a
database of possibilities and their MD5 hashes and the database lookup
is then quite fast.  For example this allows people who have the MD5
hash of a password to break short, common words used as passwords very
easily.  But if the MD5 value is not there, you are still stuck.  For
the example above (10-character values using A-Z, a-z, and 0-9) if my
calculations are correct it would take about 32 million gigabytes to
store those 839 quadrillion values and their matching MD5 digests in a
database, not counting indexing (which adds to this) nor compression
and other optimization (which could reduce it).

I am not talking about general security here and saying it is OK to
expose the MD5 values, just looking at the difficulty of reversing
them.



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.10.1 - Release Date: 4/20/2005

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux