Sergei Gorelkin schrieb:
> Friday, November 24, 2006, 12:36:35 PM, Bram wrote:
>
> BK> A.J. Venter wrote:
>>> That seemed to work fine - except it turns out that MD5 is even LESS
>>> reliable
>>> than I thought, at least on small data.
>>> I had a bug report (and confirmed it) that you can log into anybody's
>>> account
>>> if you simply know how many characters his password has.
>>>
>>> Apparently '123456' generates exactly the same MD5SUM as 'beebob' (for any
>>> particular set of values) !
>
> BK> This is not the case for the MD5 algorithm as defined in RFC 1321.
>
> BK> $ echo 123456|md5sum
> BK> f447b20a7fcbf53a5d5be013ea0b15af *-
>
> BK> $ echo beebob|md5sum
> BK> bd9dc720ce0f1976d760a803c1d12370 *-
>
> I've just tested FPC functions (in packages/base/hash/md5.pp).
> Surprisingly (and providing ground for investigation!), it gives different
> results:
Well, md5sum even gives different results for the rfc 1321 test suite while
fpc's implementation gives the correct results.
>
> program:
> Writeln('MD5 (''123456''): ', MDPrint(MDString('123456', 5)));
> Writeln('MD5 (''beebob''): ', MDPrint(MDString('beebob', 5)));
>
> output:
> MD5 ('123456'): e10adc3949ba59abbe56e057f20f883e
> MD5 ('beebob'): 95ee914c147ed0d25a9064d0c3ce2019
>
> Nevertheless, two given strings have different hash values, as they
> should.
>
> BK> Maybe you somehow only hash the string length? E.g. you do a
> md5(password[1])?
>
> Most probably, this or similar bug is the case. Even weak stuff like
> CRC must give different results for different strings...
>
_________________________________________________________________
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject
archives at http://www.lazarus.freepascal.org/mailarchives