Re: [PHP] reverse MD5 ???
William Stokes wrote: Hello, I have a system that uses certain id info. This info is stored in a session cookie in MD5 format. At certain parts of the code I need to update or insert to MySQL DB with that id info value in cleartext. Is this possible? If so, how to put this to a sql query? $sqlquery = insert into x_table (team_id,number,) values ('$team_id','$number') $team_id is the MD5 formatted cookie value and I need to put it to the x_table column team_id in cleartext. Thanks a lot -Will MD5 values are hashes, not encryptions. There's nothing to decrypt. It's good for storing the results of some value and than when the person sends the MD5 back at a later point you can make sure it still matches the desired value by re-hashing the original value again. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reverse MD5 ???
On 21 Apr 2005 M Saleh EG wrote: It's simple. If your system supports it performance wise. Grab the id and compare it against the md5 version of the id saved in the cookie. Actually I think the discussion was about reversing the MD5 to get back the original message -- not about cookies or IDs. What you are discussing is a different issue. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] reverse MD5 ???
Hello, I have a system that uses certain id info. This info is stored in a session cookie in MD5 format. At certain parts of the code I need to update or insert to MySQL DB with that id info value in cleartext. Is this possible? If so, how to put this to a sql query? $sqlquery = insert into x_table (team_id,number,) values ('$team_id','$number') $team_id is the MD5 formatted cookie value and I need to put it to the x_table column team_id in cleartext. Thanks a lot -Will -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reverse MD5 ???
William Stokes a écrit : Hello, I have a system that uses certain id info. This info is stored in a session cookie in MD5 format. At certain parts of the code I need to update or insert to MySQL DB with that id info value in cleartext. Is this possible? If so, how to put this to a sql query? $sqlquery = insert into x_table (team_id,number,) values ('$team_id','$number') $team_id is the MD5 formatted cookie value and I need to put it to the x_table column team_id in cleartext. Thanks a lot -Will MD5 = no reverse that's why it's secure... sorry... FENDT Charles -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reverse MD5 ???
Hello William, Thursday, April 21, 2005, 2:28:01 PM, you wrote: WS $team_id is the MD5 formatted cookie value and I need to put it to the WS x_table column team_id in cleartext. You need to re-think how those cookie values are stored then. You cannot un-MD5 something at all, it's a one-way hashing algorithm. Best regards, Richard Davey -- http://www.launchcode.co.uk - PHP Development Services I do not fear computers. I fear the lack of them. - Isaac Asimov -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reverse MD5 ???
On 21 Apr 2005 Jason Barnett wrote: Any information that you wouldn't want in the script in plain text, you probably don't want in the database in clear text. Moreover MD5 is a one way hash and although it is broken, you probably don't want to spend the processing time needed to reverse it. In the general case, no reasonable amount of processing time will reverse it since (AFAIK) you have to brute force test all possible values, though for very short text it can sometimes be done, and there are online databases out there. For the OP, this is part of what it means to use a hash or digest (MD = message digest) as opposed to an encrypted value. The conversion from the original text to the hash is one-way and as a general rule cannot be reversed except by trying every possibility for the original text, which becomes an astronomical task with even very small text lengths. For example, for text using a-Z, A-Z, and 0-9, there are 218 trillion possible 8-character values (62 ^ 8) and 839 quadrillion possible 10-character values. Imagine MD5 (this is a very crude analogy) as taking a letter, tearing it up into tiny pieces, rearranging them according to some complex predefined algorithm, then selecting a hundred or so pieces with individual letters on them and putting those together as a code, and burning the rest. There is no way you can reproduce the letter from the code, except in the limited case where the letter is very short and your code actually incorporates all the pieces. I believe the places where MD5 can be broken by brute force are where common words or phrases are used -- then it is possible to create a database of possibilities and their MD5 hashes and the database lookup is then quite fast. For example this allows people who have the MD5 hash of a password to break short, common words used as passwords very easily. But if the MD5 value is not there, you are still stuck. For the example above (10-character values using A-Z, a-z, and 0-9) if my calculations are correct it would take about 32 million gigabytes to store those 839 quadrillion values and their matching MD5 digests in a database, not counting indexing (which adds to this) nor compression and other optimization (which could reduce it). I am not talking about general security here and saying it is OK to expose the MD5 values, just looking at the difficulty of reversing them. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reverse MD5 ???
It's simple. If your system supports it performance wise. Grab the id and compare it against the md5 version of the id saved in the cookie. if( $_COOKIE['id'])== md5($id)) { //.. then allow or let the user to do something } that's if you have the id already known. otherwise if you donno the id you gotta grab all the ids and md5 them and then compare them against the one stored in the cookie; which I dont recommand and is realy a stupid thing to do. HTH On 4/21/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On 21 Apr 2005 Jason Barnett wrote: Any information that you wouldn't want in the script in plain text, you probably don't want in the database in clear text. Moreover MD5 is a one way hash and although it is broken, you probably don't want to spend the processing time needed to reverse it. In the general case, no reasonable amount of processing time will reverse it since (AFAIK) you have to brute force test all possible values, though for very short text it can sometimes be done, and there are online databases out there. For the OP, this is part of what it means to use a hash or digest (MD = message digest) as opposed to an encrypted value. The conversion from the original text to the hash is one-way and as a general rule cannot be reversed except by trying every possibility for the original text, which becomes an astronomical task with even very small text lengths. For example, for text using a-Z, A-Z, and 0-9, there are 218 trillion possible 8-character values (62 ^ 8) and 839 quadrillion possible 10-character values. Imagine MD5 (this is a very crude analogy) as taking a letter, tearing it up into tiny pieces, rearranging them according to some complex predefined algorithm, then selecting a hundred or so pieces with individual letters on them and putting those together as a code, and burning the rest. There is no way you can reproduce the letter from the code, except in the limited case where the letter is very short and your code actually incorporates all the pieces. I believe the places where MD5 can be broken by brute force are where common words or phrases are used -- then it is possible to create a database of possibilities and their MD5 hashes and the database lookup is then quite fast. For example this allows people who have the MD5 hash of a password to break short, common words used as passwords very easily. But if the MD5 value is not there, you are still stuck. For the example above (10-character values using A-Z, a-z, and 0-9) if my calculations are correct it would take about 32 million gigabytes to store those 839 quadrillion values and their matching MD5 digests in a database, not counting indexing (which adds to this) nor compression and other optimization (which could reduce it). I am not talking about general security here and saying it is OK to expose the MD5 values, just looking at the difficulty of reversing them. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- M.Saleh.E.G 97150-4779817
Re: [PHP] reverse MD5 ???
I am not really interested in reversing MD5 and I sure as hell hope its not easy to do for a LONG time to come as we use it in some of our licensing, for software we sell.BUT the below text was some good reading none the less. I'm gonna copy and save the below text for the next client who asks me since you are using it with my credit card,how safe is MD5 anyway? :-p Thanks mate! If i get time maybe even put it on the website we sell the software from (Tom, write to me if you object to this as its your text) even if your calculations are slightly off (dont know if they are..I have trouble counting higher than a few million :-) ), you convinced me! Cheers, Ryan In the general case, no reasonable amount of processing time will reverse it since (AFAIK) you have to brute force test all possible values, though for very short text it can sometimes be done, and there are online databases out there. For the OP, this is part of what it means to use a hash or digest (MD = message digest) as opposed to an encrypted value. The conversion from the original text to the hash is one-way and as a general rule cannot be reversed except by trying every possibility for the original text, which becomes an astronomical task with even very small text lengths. For example, for text using a-Z, A-Z, and 0-9, there are 218 trillion possible 8-character values (62 ^ 8) and 839 quadrillion possible 10-character values. Imagine MD5 (this is a very crude analogy) as taking a letter, tearing it up into tiny pieces, rearranging them according to some complex predefined algorithm, then selecting a hundred or so pieces with individual letters on them and putting those together as a code, and burning the rest. There is no way you can reproduce the letter from the code, except in the limited case where the letter is very short and your code actually incorporates all the pieces. I believe the places where MD5 can be broken by brute force are where common words or phrases are used -- then it is possible to create a database of possibilities and their MD5 hashes and the database lookup is then quite fast. For example this allows people who have the MD5 hash of a password to break short, common words used as passwords very easily. But if the MD5 value is not there, you are still stuck. For the example above (10-character values using A-Z, a-z, and 0-9) if my calculations are correct it would take about 32 million gigabytes to store those 839 quadrillion values and their matching MD5 digests in a database, not counting indexing (which adds to this) nor compression and other optimization (which could reduce it). I am not talking about general security here and saying it is OK to expose the MD5 values, just looking at the difficulty of reversing them. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.10.1 - Release Date: 4/20/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php