kfir — 2011-11-06T12:47:13-05:00 — #1
I don't quite understand one-way md5 password decryption.
What provides uniqueness of an md5 hash for a given database? Is a hashing algoritm(key) specific for a hosting server or for a database itself?
After all, there must be somewhere a unique encryption/decryption key, isn't it? If so, where is it found, and how come a hacker who gains access to (say) hashed user passwords list, cannot access the key as well?
scallioxtx — 2011-11-06T16:13:01-05:00 — #2
There is no decryption algorithm * for md-5, that's the whole point.
When a user creates his password, you apply the md5 function to it. This will give you a unique string with respect to the subject (i.e., the password), in that every time you were to md5() that same password, you'd get the same md5 hash. The other way around, the result of that md5 may (and probably does) map back to several different input strings (which are most likely far away/very dissimilar from each other)
Now, when the user comes back and enters his password to indentify himself, you can'd decrypt the md5 and see if it matches, BUT you can md5 the password he gave to identify himself, and see if it matches the md5 you have stored in the database. If they are the same, the password is correct (yeah okay, technically -technically- they could have entered another password which just happens to map to the same md5 hash, but this is extremely unlikely).
- there are rainbow tables though, so you may want to look at sha-1. brownie points if you throw salts in the mix.
brownies with salt. yuck.
force — 2011-11-06T17:59:42-05:00 — #3
Hashing is one-way encryption. Meaning--in theory--it cannot be decrypted. It should only be used for comparisons. For example, when a user saves their password, encrypt it with a hash, and save the hash. Then when the user sends the password to log in, encrypt it using the same hash and compare it to the hash saved in the database. If the user-submitted hash matches the hash in the database, then allow the user in.
Different hashing algorithms offer different levels of encryption, meaning one type of hash can be more complicated than another and be harder to reverse engineer. MD5, unfortunately, has been around for so long and is less complicated than newer hash algorithms, that it can be cracked. So, web developers don't typically recommend using MD5 as a password hash algorithm. SHA-1 has a few vulnerabilities too, but is generally acceptable for most situations for now. The SHA-2 family is considered more secure (and is the one the US government uses).
Here are the hashing algorithms that PHP supports: http://www.php.net/manual/en/function.hash.php
I tend to use sha256. Also keep in mind that the more complicated a hash, the more processing time it will use up.
logic_earth — 2011-11-07T00:53:21-05:00 — #4
Maybe it would help if people stop calling MD5 and other hashing functions "encryption" for they are not "encryption". Hashing is a digest of last weeks dinners now stored in a portable potty...pleasant image I know. But that is what a hashing function does, turns data into series of seemingly random bytes. However, the same data returns the same random bytes.
kfir — 2011-11-07T13:24:26-05:00 — #5
Thanks for all the answers and links. I have understood now what's this about.
In fact, i realized where was my problem in understanding it. I assumed that for a known mathematical algorithm for making a result (digest), a reverse algorithm can be created which gives back an original message.
I mistakenly thought if y=f(x) /where y is a digest, and x an original message/ if the function f is known (and md5 function is certainly known), i can get x from f and y.
Now i realize it's not the case, but could someone give a simplified example of such a function.
btw salting method looks like a pretty good extra security, even for md5, isn't it?
force — 2011-11-07T13:55:44-05:00 — #6
It helps with any hashing algorithm, but the original text can still be recovered in many cases.
When it comes to security, why would you use a technology with a known flaw which can easily compromise security?