Results 1 to 10 of 10
  1. #1
    Join Date
    Jun 2004
    Location
    Bay Area -USA
    Posts
    1,740

    Ways to decrease change of MD5 collisions?

    I have read through the other thread:
    http://www.webhostingtalk.com/showth...hreadid=409586

    I was wondering what methods there are to decrease the change of collision.

    Perhaps something that could be done would be double md5ing it.

    PHP Code:
    md5(md5("password")); 
    Perhaps there is a function or something that would encrypt it such as
    PHP Code:
    function multi_md5($md5_code$password) {
    //$md5code is a numerical value such as '4,2,1,5'
    $encoded_val $password// sets
    $num explode(","$md5_code);
    $max count($num);
    for(
    $i 0$i $max$i++){ // goes through the array of $md5_code (goes through 4 times then 2 then 1 then 5)
        
    for($a 0$a $num[$i]; $a++) {
            
    $encoded_val md5($encoded_val);
        }
    }
    return 
    $encoded_val


    I just wrote that here without checking it for errors but it's just an idea.

    Would this decrease the chance for collisions?

    What do you think about it?
    <<< Please see Forum Guidelines for signature setup. >>>

  2. #2
    Join Date
    May 2004
    Location
    Singapore
    Posts
    263
    Applying the hash multiple times does not decrease the chance of collision.
    After all, if 2 pre-images hash to the same hash, hashing that hash does not produce 2 different hashes.

    The way to avoid dictionary attacks when using hashing algorithms to protect original passwords is to combine with some salt.
    That still does not prevent a dictionary attack on the authentication mechanism - that just depends on how silly users are in choosing their passwords.
    #include<cstdio>
    char*s="#include<cstdio>%cchar*s=%c%s%c;%cint main(){std::printf(s,10,34,s,34,10);}";
    int main(){std::printf(s,10,34,s,34,10);}

  3. #3
    Join Date
    Feb 2005
    Location
    Seattle, Washington
    Posts
    147
    using HMAC can help prevent collisions, as a secret key will be supplied to create the hash, but if the person attempting to create the collision knows the secret key, chances are still about the same. If you would like to do this in PHP, you could use PEAR's Crypt_HMAC, http://pear.php.net/package/Crypt_HMAC

    Contrary to what some people here seem to think, the chances of a collision being found are slim to none. It is near impossible to find a collision, and millions upon millions of hashes will have to be made, and even then, one probably wont be found. There is really no need to worry.
    Regards,
    Matthew Fonda
    PHP Developer

  4. #4
    Join Date
    Jun 2004
    Location
    Bay Area -USA
    Posts
    1,740
    Thanks for the helpful information.
    <<< Please see Forum Guidelines for signature setup. >>>

  5. #5
    Join Date
    Mar 2004
    Location
    california
    Posts
    162
    I really wouldn't worry about it, as there are other ways around the passwords if they get access to your code or database.

  6. #6
    Another option is to use a longer hash, ie SHA-1.
    "The only difference between a poor person and a rich person is what they do in their spare time."
    "If youth is wasted on the young, then retirement is wasted on the old"

  7. #7
    with passwords, collisions are really only gonna occur if two people use the same passwords. this happens a fair amount though, so you should do something like using salt (as mentioned in the thread the original poster linked to). you can store the salt w/ the md5, so its not much extra work.
    __________________
    SkiingYAC Custom Solutions http://www.skiingyac.com
    system administration, development, design, & hosting

  8. #8
    You may need to add session ids to calculate HMAC in order to avoid one-click attacks.

  9. #9
    with passwords, collisions are really only gonna occur if two people use the same passwords.
    You dont really understand the concept of collisions I think.

    The whole point is that under a collision, two different strings will evaluate to the SAME checksum. Thus, you dont have to even know the original person's password, you only have to compute a string that has the same checksum. The danger is that there are a number of databases out there that you can search for collisions, and increasing computing power will make such attacks easier as the days go by.

    Salts, HMAC, and stronger hashes are all ways to reduce (I didnt say avoid) the possibility of this happening.
    "The only difference between a poor person and a rich person is what they do in their spare time."
    "If youth is wasted on the young, then retirement is wasted on the old"

  10. #10
    Join Date
    Feb 2002
    Location
    San Diego CA
    Posts
    1,478
    I was worried about the same thing a while ago.
    After some research I found out that some guy actually did the computation of the probability of collision. I forgot the actual figure but it really convinced me to quit losing hair over it.
    What you can do with Cpanel ------------------> |||||
    What you can do with Cpanel XP+CpanelAPP -------> ||||||||||||||||||||||||||||||||||||||||

    Your competitors are cashing in with Cpanel XP & CpanelAPP, are you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •