{"id":3543,"date":"2020-04-17T21:28:00","date_gmt":"2020-04-17T19:28:00","guid":{"rendered":"https:\/\/webdev.atsec.us\/?p=3543"},"modified":"2024-08-19T20:53:31","modified_gmt":"2024-08-19T18:53:31","slug":"rise-fall-of-md5","status":"publish","type":"post","link":"https:\/\/webdev.atsec.us\/rise-fall-of-md5\/","title":{"rendered":"Rise & Fall of MD5"},"content":{"rendered":"\n
by Richard Fant<\/font>
The Rise<\/strong>
MD5 (message digest version 5) was developed in 1991 and is still very popular today, with a wide range of commercial and government applications. MD5 is used to generate hash values of passwords stored on a system as opposed to storing the passwords in plain text. This password protection method was used by many popular commercial websites such as LinkedIn, eHarmony, and LastFM. In addition, many government agencies originally adopted MD5 for official use.
How it Works<\/strong>
If you take a large set of numbers and apply mathematical operations on it to reduce the large set to a much smaller value, those operations are collectively called a hashing function. Particularly, in Computer Sciences, a hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes.
A typical use of hashing functions is to verify the integrity of files after a file transfer. For example, a person wishing to transfer a document called File A over the internet would first hash the contents of File A into a value representing File A. At the destination, the newly arrived file, call it File A\u2019, is similarly hashed into a value representing File A\u2019. The two hash values are compared. If both values are the same, then File A\u2019 is the same as File A which means the transfer was successful and no damage occurred.
As with all hashing functions, MD5 is designed to be a one-way function: it should be extremely difficult to reverse engineer the output to determine the input. One of the most common ways to attack a one-way function, is to run a brute-force search for all possible inputs to see if they generate something which matches the same specific output. This is known as finding a hash collision. The security strenght of a hash function is measured by how difficult it is to find a hash collision.
How is it Used<\/strong>
MD5 is frequently used as hashing function for passwords. For example, a user\u2019s LinkedIn password such as \u201cMyPasswordIsGood!\u201d could be put into a hash function which would generate a 128-bit hash value starting with something like \u201c7A07C\u201d (the actual hash value would be longer, but shortened here for convenience). This hashed password could be stored on the LinkedIn website. Whenever the user logged into the website with their plain text password, it would be hashed and then compared with what was already stored there. If they matched, the user was authorized access. This process of hashing the password means that simply stealing hashed passwords from the website is insufficient to gain access. This also means that the user\u2019s plain text password is never stored on the website itself which increases overall security. However, there is a weakness in the process, the previously mentioned hash collision.<\/p>\n\n\n\n