The encryption thread

**yod** · 26th May 2008, 11:26

Originally Posted by imdying

The site will still have to decipher them to display them to the user, to replicate that functionality is pretty trivial

???

decipher md5??

good luck with that

**jrandom** · 27th May 2008, 08:22

Originally Posted by yod

decipher md5??

MD5's a hash function, not a block encryption algorithm.

Originally Posted by yod

good luck with that

MD5's been effectively broken for some time - it only takes a couple of minutes to generate a collision these days. It's no longer considered suitable for security-sensitive implementations.

**yod** · 27th May 2008, 08:49

Originally Posted by jrandom

MD5's a hash function, not a block encryption algorithm.

MD5's been effectively broken for some time - it only takes a couple of minutes to generate a collision these days. It's no longer considered suitable for security-sensitive implementations.

yeah....i know mate......but for the sake of discussion I didn't see the point in splitting hairs - for the lay man, md5 can be considered encryption - it is after all, altering the original data to disguise it's content which is the fundamental concept behind any encryption

and it is standard practice to include a salt when using md5 these days - "if passwords are combined with a salt before the MD5 digest is generated, rainbow tables become much less useful"

perhaps if we were talking about a WIS for a bank, a salt + md5 implementation would not be ideal but for this site I would suggest it's quite sufficient

**jrandom** · 27th May 2008, 10:03

Originally Posted by yod

standard practice to include a salt...

That prevents dictionary attacks to recover the original password (for whatever that'd be worth) but does nothing to reduce MD5's vulnerability to collisions. Salting is a valid technique to guard against exploitation of weak passwords when using an unbroken hash algorithm.

In other words, if you store passwords as MD5 hashes, salt or no salt, and I get hold of one of those hashes, I can quickly come up with another password that generates the same hash value, and then happily log on to the account in question.

Which obviates the purpose of storing passwords as hashes in the first place.

Anyway, I drew the block/hash distinction because folk were speaking of MD5 being used to encrypt messages, which wouldn't be possible. Hash functions are used to identify, not to encipher.

**yod** · 27th May 2008, 10:33

Originally Posted by jrandom

That prevents dictionary attacks to recover the original password (for whatever that'd be worth) but does nothing to reduce MD5's vulnerability to collisions. Salting is a valid technique to guard against exploitation of weak passwords when using an unbroken hash algorithm.

In other words, if you store passwords as MD5 hashes, salt or no salt, and I get hold of one of those hashes, I can quickly come up with another password that generates the same hash value, and then happily log on to the account in question.

Which obviates the purpose of storing passwords as hashes in the first place.

Anyway, I drew the block/hash distinction because folk were speaking of MD5 being used to encrypt messages, which wouldn't be possible. Hash functions are used to identify, not to encipher.

... snip pic out ...

actually i only mentioned md5 as an example - i never suggested it would be used for anything other than password hashing/encryption

it was then taken out of context and here we are

**jrandom** · 27th May 2008, 12:25

Originally Posted by yod

actually i only mentioned md5 as an example - i never suggested it would be used for anything other than password hashing/encryption

Perhaps not, but you did imply ignorance of the fact that it's crackable, so in best KB pedantrist tradition, I thought I'd barge in with a healthy serving of entirely unnecessary detail.

**Morcs** · 27th May 2008, 12:47

BLAH BLAH BLAH

are you guys talking about porn in a secret code or something?

**Disco Dan** · 27th May 2008, 12:51

Originally Posted by Morcs

BLAH BLAH BLAH

are you guys talking about porn in a secret code or something?

Porn? Nah, someone mentioned hash so I reckon it's drugs.

**Mikkel** · 27th May 2008, 12:53

How about quantum cryptography?

**Disco Dan** · 27th May 2008, 13:09

Originally Posted by Mikkel

How about quantum cryptography?

Or analysis on how such a small stool can support such a huge arse?

**Colapop** · 27th May 2008, 13:13

HggtuGY55.mk.kkhg*goto YHk58

**nodrog:Me** · 27th May 2008, 13:34

0110011101100101011001010110101101110011

**yod** · 27th May 2008, 13:37

Originally Posted by jrandom

I thought I'd barge in with a healthy serving of entirely unnecessary detail.

really? I hadn't noticed.....

**tri boy** · 27th May 2008, 13:40

Arrrgh,

Nerds, begone from this world

you have been good slaves to mankind, but time you all took a hike.
(actually, I'm just jealous that it's all above my feeble ability to understand)

**RantyDave** · 27th May 2008, 13:40

Originally Posted by yod

for the lay man, md5 can be considered encryption

A layman's concept of encryption includes being able to get the data back out again. Usually using a hot chick in a darkened room and a pile of numbers that whizz over until (one by one) they settle on the secret combination. You can't get the data back out of md5.

Dave

Thread: The encryption thread

Thread Tools

The encryption thread

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions