SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Member
    Join Date
    Feb 2007
    Posts
    24
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question MD5 decryption ?

    Hi

    I don't quite understand one-way md5 password decryption.
    What provides uniqueness of an md5 hash for a given database? Is a hashing algoritm(key) specific for a hosting server or for a database itself?
    After all, there must be somewhere a unique encryption/decryption key, isn't it? If so, where is it found, and how come a hacker who gains access to (say) hashed user passwords list, cannot access the key as well?

    Thanks

  2. #2
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,095
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    There is no decryption algorithm * for md-5, that's the whole point.
    When a user creates his password, you apply the md5 function to it. This will give you a unique string with respect to the subject (i.e., the password), in that every time you were to md5() that same password, you'd get the same md5 hash. The other way around, the result of that md5 may (and probably does) map back to several different input strings (which are most likely far away/very dissimilar from each other)

    Now, when the user comes back and enters his password to indentify himself, you can'd decrypt the md5 and see if it matches, BUT you can md5 the password he gave to identify himself, and see if it matches the md5 you have stored in the database. If they are the same, the password is correct (yeah okay, technically -technically- they could have entered another password which just happens to map to the same md5 hash, but this is extremely unlikely).

    * there are rainbow tables though, so you may want to look at sha-1. brownie points if you throw salts in the mix.
    brownies with salt. yuck.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  3. #3
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,615
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    brownie points if you throw salts in the mix.
    brownies with salt. yuck.


    Quote Originally Posted by kfir
    I don't quite understand one-way md5 password decryption.
    What provides uniqueness of an md5 hash for a given database? Is a hashing algoritm(key) specific for a hosting server or for a database itself?
    After all, there must be somewhere a unique encryption/decryption key, isn't it? If so, where is it found, and how come a hacker who gains access to (say) hashed user passwords list, cannot access the key as well?
    Hashing is one-way encryption. Meaning--in theory--it cannot be decrypted. It should only be used for comparisons. For example, when a user saves their password, encrypt it with a hash, and save the hash. Then when the user sends the password to log in, encrypt it using the same hash and compare it to the hash saved in the database. If the user-submitted hash matches the hash in the database, then allow the user in.

    Different hashing algorithms offer different levels of encryption, meaning one type of hash can be more complicated than another and be harder to reverse engineer. MD5, unfortunately, has been around for so long and is less complicated than newer hash algorithms, that it can be cracked. So, web developers don't typically recommend using MD5 as a password hash algorithm. SHA-1 has a few vulnerabilities too, but is generally acceptable for most situations for now. The SHA-2 family is considered more secure (and is the one the US government uses).

    Here are the hashing algorithms that PHP supports: http://www.php.net/manual/en/function.hash.php

    I tend to use sha256. Also keep in mind that the more complicated a hash, the more processing time it will use up.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  4. #4
    ¬.¬ shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Maybe it would help if people stop calling MD5 and other hashing functions "encryption" for they are not "encryption". Hashing is a digest of last weeks dinners now stored in a portable potty...pleasant image I know. But that is what a hashing function does, turns data into series of seemingly random bytes. However, the same data returns the same random bytes.


    https://en.wikipedia.org/wiki/Crypto..._hash_function
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  5. #5
    SitePoint Member
    Join Date
    Feb 2007
    Posts
    24
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for all the answers and links. I have understood now what's this about.
    In fact, i realized where was my problem in understanding it. I assumed that for a known mathematical algorithm for making a result (digest), a reverse algorithm can be created which gives back an original message.
    I mistakenly thought if y=f(x) /where y is a digest, and x an original message/ if the function f is known (and md5 function is certainly known), i can get x from f and y.
    Now i realize it's not the case, but could someone give a simplified example of such a function.

    Thanks again

    btw salting method looks like a pretty good extra security, even for md5, isn't it?

  6. #6
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,615
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by kfir View Post
    btw salting method looks like a pretty good extra security, even for md5, isn't it?
    It helps with any hashing algorithm, but the original text can still be recovered in many cases.

    When it comes to security, why would you use a technology with a known flaw which can easily compromise security?
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •