One last item for discussion. Consider the following code example. It creates a totally random, one hundred thousand character string. It then runs this through CF's MD5 hash engine. The resulting hash is 32 characters long. The resulting hash is always 32 characters long, no matter how much text you pass in. That's a hash - a one way mathematical algorithm that produces a pretty darn unique output. If it were simply reversible, we would also have the worlds best compression tool on our hands.
<CFSET x = '' > <CFLOOP INDEX="i" FROM="1" TO="100000"> <CFSET x = x & Chr(RandRange(33,122)) > </CFLOOP> <CFOUTPUT>hash: #hash(x)#<HR>text: #x#</CFOUTPUT> Brute forcing this 100,000 character string would take a very very very long time. It's likely though, that there is a shorter string which will produce the same results, so you might not actually have to discover the 100,000 character string in order to decrypt it. I am no cryptologist, but this may be what the RSA quoted below refers to as a "collision". How likely are collisions? Assuming that MD5 uses a 36 character set (it appears to) for it's output, and it's 32 characters long, that would be a maximum of 36^32 (6.3340286662973277706162286946812e+49 per my windows calc) possible hash values you'd have to run through before your brute force attack would work. This also assumes of course that you didn't run into a few billion other collisions first. More about the definition of "hash": http://www.rsasecurity.com/rsalabs/faq/2-1-6.html -Cameron -------------------- Cameron Childress elliptIQ Inc. p.770.460.1035.232 f.770.460.0963 -- http://www.neighborware.com America's Leading Community Network Software > -----Original Message----- > From: Cameron Childress [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 19, 2002 11:04 AM > To: CF-Talk > Subject: RE: only one MD5 hash? > > > > Really, MD5 is Encryption and the hash I take it means that it generates > > a random key or something else. If you want some more information on the > > tools that can do it then visit www.astalavista.box.sk > > There are some great articles on MD5 Decryption in there. > > Every tool I found on that site does a brute force attack, not decryption. > As far as I have ever heard from any reliable source, MD5 is one way, no > "key", and brute force attacks are the best know offense. > > Read this: > http://www.rsasecurity.com/rsalabs/faq/3-6-6.html > > "MD5 was developed by Rivest in 1991. It is basically MD4 with > ``safety-belts'' and while it is slightly slower than MD4, it is more > secure. The algorithm consists of four distinct rounds, which has > a slightly > different design from that of MD4. Message-digest size, as well as padding > requirements, remain the same. Den Boer and Bosselaers [DB94] have found > pseudo-collisions for MD5 (see Question 2.1.6). More recent work by > Dobbertin has extended the techniques used so effectively in the > analysis of > MD4 to find collisions for the compression function of MD5 [DB96b]. While > stopping short of providing collisions for the hash function in > its entirety > this is clearly a significant step. For a comparison of these different > techniques and their impact the reader is referred to [Rob96]. > > Van Oorschot and Wiener [VW94] have considered a brute-force search for > collisions (see Question 2.1.6) in hash functions, and they estimate a > collision search machine designed specifically for MD5 (costing > $10 million > in 1994) could find a collision for MD5 in 24 days on average. The general > techniques can be applied to other hash functions. " > > -Cameron > > -------------------- > Cameron Childress > elliptIQ Inc. > p.770.460.1035.232 > f.770.460.0963 > -- > http://www.neighborware.com > America's Leading Community Network Software > ______________________________________________________________________ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
