Friday, November 24, 2006, 12:36:35 PM, Bram wrote:
BK> A.J. Venter wrote:
>> That seemed to work fine - except it turns out that MD5 is even LESS
>> reliable
>> than I thought, at least on small data.
>> I had a bug report (and confirmed it) that you can log into anybody's
>> account
>> if you simply know how many characters his password has.
>>
>> Apparently '123456' generates exactly the same MD5SUM as 'beebob' (for any
>> particular set of values) !
BK> This is not the case for the MD5 algorithm as defined in RFC 1321.
BK> $ echo 123456|md5sum
BK> f447b20a7fcbf53a5d5be013ea0b15af *-
BK> $ echo beebob|md5sum
BK> bd9dc720ce0f1976d760a803c1d12370 *-
I've just tested FPC functions (in packages/base/hash/md5.pp).
Surprisingly (and providing ground for investigation!), it gives different
results:
program:
Writeln('MD5 (''123456''): ', MDPrint(MDString('123456', 5)));
Writeln('MD5 (''beebob''): ', MDPrint(MDString('beebob', 5)));
output:
MD5 ('123456'): e10adc3949ba59abbe56e057f20f883e
MD5 ('beebob'): 95ee914c147ed0d25a9064d0c3ce2019
Nevertheless, two given strings have different hash values, as they
should.
BK> Maybe you somehow only hash the string length? E.g. you do a
md5(password[1])?
Most probably, this or similar bug is the case. Even weak stuff like
CRC must give different results for different strings...
--
Best regards,
Sergei
_________________________________________________________________
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject
archives at http://www.lazarus.freepascal.org/mailarchives
