وداع با MD5 این عنوان مقاله ایی که چندی پیش تو یکی از سایتها دیدم
به خوندنش میارزه
One way Hash Functions
The following definitions are taken from the Bruce Schneier's Book: Applied Cryptography Second Edition:
A one-way hash function, H(M), operates on an arbitrary-length pre-image message, M. It returns a fixed-length hash value, h.
h = H(M), where h is of length m
Many functions can take an arbitrary-length input and return an output of fixed length, but one-way hash functions have additional characteristics that make them one-way [1065]:
Given M, it is easy to compute h.
Given h, it is hard to compute M such that H(M)= h.
Given M, it is hard to find another message, M’, such that H(M) = H(M’).
....
In some applications, one-wayness is insufficient; we need an additional requirement called collision-resistance.
It is hard to find two random messages, M and M’, such that H(M) = H(M’).
The definition mentioned before, lead to the development of secure password storage.
The use of one way hashing function is the following algorithm:
For Password Storage, request input plain_password from user , then apply a oneway hash function H on plain_password and store it. In code stored_password = H(plain_password)
For password checking, request probe_password from user, apply H on it, and compare with stored_ password, i.e.: check ::= H(probe_password) == stored_password.
This schema it's good as long H is a good and strong hashing function.
Today, MD5 is under heavy attack, the reason is that is used on the GNU implementation of the POSIX function Crypt. In fact, in the site
http://passcracking.com/ you can find a lot of collisions for this function.
Cracking MD5
The typicall way of collition search, is to use a brute-force algorithm: given a hash value h, for a plain message m, written in an alphabet A, then h = MD5(m), so in brute force collition search, we try every posible combination in alphabet A we find a m' message such as MD5(m') = h. m' can be or not equal to m.
The Rainbow Crack uses precalculated tables for intermediates steps on the process, this can accellerate the cracking process. For example, a password of up tu 14 characters, of the this charset: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw xyz0123456789!@#$%^&*()-_+=" can be cracked on few minutes.
Some people suggest to use more complicated applications of MD5, for example, use stored_password = crypt(plain_password + salt). Where key, its a fixed one or the user id, or some other fixed value. This schema is not stronger, can be show, several flaws to this approach,
Other alternatives are:
The first one relays on a key, that can be stollen. Combining algorithms is better, but probably only results on more CPU usage that real protection.
Alternatives functions
Use other functions can be a solution, but what criteria use to choose a good one?
The answer is simple, use hash functions with a bigger domain of results. For example, MD5 generates a 128 bits value, so the space of posible resulting values is 2128 in size. By simple logic, if your hash function has an output domain of a size bigger than that, then its a good alternative.
All the followings functions has stronger implementations than MD5
WHIRPOOL, generates a 512 bits output,
RIPEMD, uses 160, 128 or 320 bits output, and S
HA-2, generates 256, 512 bits ouputs.
SHA-2 is available on crypto api, and the Microsof.Net, so I suggest you to use it.
پاسخ با نقل قول
