08-30-2018 11:30 PM
I know this is an old thread but I just wanted to alert anyone reading this that MD5 can be reversed these days so please do not use it intending it to be hack proof!
I'm not going to explain why here because I'm not experienced enough to do that but please do your research in this area!
08-31-2018 03:02 AM
Any reference to prove that?
I doubt that it's true. And here's why.
A MD5 hash is only 32 bytes long. The input can be arbitrary long. So if a MD5 hash was reversible, that would be a very convenient compression algorithm! Compress data no matter how long to a 32 byte string! And then compress an arbitrary number of hashes to 32 bytes! All the data of the world in 32 bytes!
Of course given a MD5 hash to validate a password for instance, it is possible to calculate a valid password that results in the same MD5 hash. Not necessarily the same password.
That's why it's a good idea to 'salt' the password before MD5-ing it. Even if the user can calculate a password that results in the MD5 hash, entering it won't work, because the salt is added, and a different MD5 hash will be the result.
08-31-2018 06:59 AM
Unfortunately you are not quite right. MD5 is considered easily breakable nowadays even if you don't have a nation state unlimited budget available to buy the most state of the art hypercomputers. It contains a flaw in the hashcode algortithme that was discovered in 1996 and does reduce the full length of the hashcode to some extend in terms of cracking it. And there have been proofs of code collisions with moderately long passphrase inputs. https://nl.wikipedia.org/wiki/MD5
The problem is that while it is indeed almost impossible to retrieve the original passphrase if it was selected only long enough, it is also not necessary in most protection schemes. Because of inevitable hashcode collision due to the fact that you try to map an unlimited number of passphrases into a limited (2^128) hashcodes, there are always an infinite number of possible passphrases that will match a particular hashcode, Any passphrase producing the desired hashcode will usually work. Using a salt you can make this more complicated but it won't really put a high enough barrier in the way of cracking MD5 based protection schemes anymore.
The way MD5 hashcodes are cracked is usually by the use of so called rainbow tables. With this, the cracking of a hashcode is almost reduced to a dictionary attack which even modest systems can perform easily nowadays. Also SHA-1 is equally discouraged for use nowadays and in the interest of being futureproof it is recommended to use at least SHA-256.
So yes MD5 is definitely unsafe to provide real security. That doesn't mean that it is unusable though. It all depends what you want to secure and what effort you expect an attacker to spend to dwart your system. An MD5 hash in a text file to guarantee that it wasn't inadvertently altered on transit is still a good protection. It won't protect from an intentional attempt to falsify the text by someone who knows that there needs to be a new MD5 hash generated to make it look correct though.
08-31-2018 08:13 AM
That is exactly what I said... Where was I not quite right?
You can't reproduce a 5MB document from a 32 byte hash.
You can produce (not reproduce) for instance a password that creates the same hash. Google works for the most used hashes btw..
08-31-2018 08:27 AM
Well it might come down to semantics. But it is absolutely true that MD5 is not recommended by anyone for use in any security critical applications nowadays and there are many public references to that which are easily found.
I see that you probably mostly targeted the "reversible" word in the posters message, which you are of course right. It's not truly reversible, and brute force attacks are still hard to do with normal hardware. But it is absolutely crackable with modest resources.
I was also more assuming that the poster meant to say that MD5 is not a good protection mechanisme anymore nowadays, but probably choose the wrong words to express that. As he admits himself he isn't really an expert in encryption and computer security (me neither btw. but the topic interests me).
08-31-2018 08:43 AM
OK, full agreement I think. Reversible was indeed what triggered me, and is a poor choice of words for the point he didn't quite make.
Is MD5 still acceptable as a digital signature? Changing a signed document and then adding modification until the hash matches seems a lot more difficult.