Are you using "key" in the sense that the key is a string concatentated wit h the user's password before the hash?
That would make sense, because during authentication, the server has the pa ssword, generates the random "key" string, and sends the string to the clie nt. The client concatenates the password and the "key" string, hashes it a nd sends it to the server. Thus, the server can determine that the user/client knows the password, tho ugh the password itself is never sent. This might be part of the confusion: "key" here is not used in the sense of a key to encrypt/decrypt a message, or a key in a PKI system. Chris Norloff ---------- Original Message ---------------------------------- from: "Howie Hamlin" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] date: Tue, 19 Feb 2002 12:53:04 -0500 >You can't recover the text from an MD5 hash. The idea of the hash is that the hash is created based on a known key (a password, for >example) and that you can duplicate the results of the hash if you know th e original text and the key. MD5 is commonly used in SMTP >authentication where the user know his password and the server knows the p assword. The server presents a challenge string (the >string changes each time) that the client uses to produce an MD5 string (u sing the password as the key). The client then sends the >MD5 result to the server and the server compares it to its own result. Th us, you verify the password without actually transmitting >it. > >Regards, > >Howie > >----- Original Message ----- >From: "Cameron Childress" <[EMAIL PROTECTED]> >To: "CF-Talk" <[EMAIL PROTECTED]> >Sent: Tuesday, February 19, 2002 11:36 AM >Subject: RE: only one MD5 hash? > > > >> Brute forcing this 100,000 character string would take a very very very long >> time. > ><snip? > >> -Cameron > > ______________________________________________________________________ Why Share? Dedicated Win 2000 Server � PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
