Just how safe do you feel right now? We put a lot of trust in the security of the web, and much of this security depends on encryption in general and MD5 in particular. Why? Well, if you run a blog, a shop or any kind of content management system then undoubtedly, the passwords are likely stored in your SQL database in MD5 (Message-Digest algorithm 5) encrypted form. If you take payments online, the SSL socket connection would (until more recently) be encrypted with MD5. It is everywhere! When it was first thought up, it was thought to be extremely secure, but this week I found several good reasons to think otherwise!

How Does Encryption Work?

The basic principle is simple. You take some data input and perform a series of transformations on it to produce a hash. The important thing about the hash, is there is no way of working back to find out what the original input was.


Try It Yourself!

Let’s suppose your website admin password was ‘redqueen451‘, the MD5 sum hash for this is ‘8aa8d1d84b9f7ab18c78b69dbf6103dc‘ . Each time you log in, the computer takes your input and applies the same tranformation to see if it ends up with ‘8aa8d1d84b9f7ab18c78b69dbf6103dc‘ also. The safety of this mechanism relies on the fact that there is no easy way to work out what the original input of a hash was.

Therefore, the danger of having two different inputs which happen to generate the same output (known as a ‘collision‘) pose a mortal danger to any cipher.

Why MD5 Is In Danger And What This Means For The Web

Well, the trouble with being a popular algorithm is that everyone is obsessed with you! Hans Dobbertin identified collisions in 1995, which started to raise concerns. Plenty of people had a go. In 2005 Xiaoyun Wang was able to produce two full PostScript documents which generated the same hash.  But I feel the death blow was dealt on the 30th of December 2008, when a group of researchers announced they had generated a VeriSign certificate authority certificate which appeared to be valid when checked with MD5.  This allowed them to create as many SSL certificates as they liked, all of which would appear to be perfectly legitimate VeriSign-issued ones! VeriSign swiftly moved and began using AES (The Advanced Encryption Standard) which handles up to 256-bit encryption.

Not content that MD5 was already dead and buried, people began compiling MD5 Rainbow Tables, lookup tables that will give you possible input to generate a particular MD5 hash. In fact some people have already tried to integrate this within a neat MD5 hash reversal web service.

Needed : A Solution For The People

The days of MD5 are most definitely numbered and finite.  Being broken and having so many hands cracking it means that it can never again be used for SSL, nor within any kind of secret service institution nor anywhere that 100% security is required.  For you, me and our websites these weakness does not pose any immediate danger in most cases, but we cannot wait for the rainbow tables to be filled.  Holes have already been picked in SHA-1 (a likely candidate billed to replace MD5) and there will come a time when at least one possible input will be known for every possible combination of digits in a hash sum!  At the very least, this will open up entirely new ways hackers might exploit security loopholes. We must not wait until that happens before finding a suitable replacement for the masses!

  • Share/Save/Bookmark