Results 1 to 10 of 10
-
05-31-2005, 12:41 PM #1Web Hosting Master
- Join Date
- Jun 2004
- Location
- Bay Area -USA
- Posts
- 1,740
Ways to decrease change of MD5 collisions?
I have read through the other thread:
http://www.webhostingtalk.com/showth...hreadid=409586
I was wondering what methods there are to decrease the change of collision.
Perhaps something that could be done would be double md5ing it.
PHP Code:md5(md5("password"));
PHP Code:function multi_md5($md5_code, $password) {
//$md5code is a numerical value such as '4,2,1,5'
$encoded_val = $password; // sets
$num = explode(",", $md5_code);
$max = count($num);
for($i = 0; $i = $max; $i++){ // goes through the array of $md5_code (goes through 4 times then 2 then 1 then 5)
for($a = 0; $a = $num[$i]; $a++) {
$encoded_val = md5($encoded_val);
}
}
return $encoded_val;
}
Would this decrease the chance for collisions?
What do you think about it?<<< Please see Forum Guidelines for signature setup. >>>
-
05-31-2005, 01:13 PM #2Web Hosting Guru
- Join Date
- May 2004
- Location
- Singapore
- Posts
- 263
Applying the hash multiple times does not decrease the chance of collision.
After all, if 2 pre-images hash to the same hash, hashing that hash does not produce 2 different hashes.
The way to avoid dictionary attacks when using hashing algorithms to protect original passwords is to combine with some salt.
That still does not prevent a dictionary attack on the authentication mechanism - that just depends on how silly users are in choosing their passwords.#include<cstdio>
char*s="#include<cstdio>%cchar*s=%c%s%c;%cint main(){std::printf(s,10,34,s,34,10);}";
int main(){std::printf(s,10,34,s,34,10);}
-
05-31-2005, 02:28 PM #3WHT Addict
- Join Date
- Feb 2005
- Location
- Seattle, Washington
- Posts
- 147
using HMAC can help prevent collisions, as a secret key will be supplied to create the hash, but if the person attempting to create the collision knows the secret key, chances are still about the same. If you would like to do this in PHP, you could use PEAR's Crypt_HMAC, http://pear.php.net/package/Crypt_HMAC
Contrary to what some people here seem to think, the chances of a collision being found are slim to none. It is near impossible to find a collision, and millions upon millions of hashes will have to be made, and even then, one probably wont be found. There is really no need to worry.
-
05-31-2005, 06:53 PM #4Web Hosting Master
- Join Date
- Jun 2004
- Location
- Bay Area -USA
- Posts
- 1,740
Thanks for the helpful information.
<<< Please see Forum Guidelines for signature setup. >>>
-
05-31-2005, 07:53 PM #5WHT Addict
- Join Date
- Mar 2004
- Location
- california
- Posts
- 162
I really wouldn't worry about it, as there are other ways around the passwords if they get access to your code or database.
-
06-03-2005, 05:58 PM #6Web Hosting Master
- Join Date
- Dec 2002
- Posts
- 1,304
Another option is to use a longer hash, ie SHA-1.
"The only difference between a poor person and a rich person is what they do in their spare time."
"If youth is wasted on the young, then retirement is wasted on the old"
-
06-03-2005, 06:37 PM #7Junior Guru Wannabe
- Join Date
- Aug 2002
- Posts
- 62
with passwords, collisions are really only gonna occur if two people use the same passwords. this happens a fair amount though, so you should do something like using salt (as mentioned in the thread the original poster linked to). you can store the salt w/ the md5, so its not much extra work.
__________________
SkiingYAC Custom Solutions http://www.skiingyac.com
system administration, development, design, & hosting
-
06-03-2005, 10:37 PM #8Newbie
- Join Date
- Dec 2004
- Posts
- 7
You may need to add session ids to calculate HMAC in order to avoid one-click attacks.
-
06-05-2005, 11:50 PM #9Web Hosting Master
- Join Date
- Dec 2002
- Posts
- 1,304
with passwords, collisions are really only gonna occur if two people use the same passwords.
The whole point is that under a collision, two different strings will evaluate to the SAME checksum. Thus, you dont have to even know the original person's password, you only have to compute a string that has the same checksum. The danger is that there are a number of databases out there that you can search for collisions, and increasing computing power will make such attacks easier as the days go by.
Salts, HMAC, and stronger hashes are all ways to reduce (I didnt say avoid) the possibility of this happening."The only difference between a poor person and a rich person is what they do in their spare time."
"If youth is wasted on the young, then retirement is wasted on the old"
-
06-06-2005, 11:06 AM #10Web Hosting Master
- Join Date
- Feb 2002
- Location
- San Diego CA
- Posts
- 1,478
I was worried about the same thing a while ago.
After some research I found out that some guy actually did the computation of the probability of collision. I forgot the actual figure but it really convinced me to quit losing hair over it.What you can do with Cpanel ------------------> |||||
What you can do with Cpanel XP+CpanelAPP -------> ||||||||||||||||||||||||||||||||||||||||
Your competitors are cashing in with Cpanel XP & CpanelAPP, are you?