Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: MD5 math question

RE: MD5 math question

From: Navroz Shariff <nshariff_at_americanbible.org>
Date: Wed, 4 Jan 2006 11:32:08 -0500

Having taken Vector Calc, Numerical Analysis, Topology, etc...I will do
my best in digesting the MD5 collison analysis and regurgitating the
info to the community. No pun intended :-)

-Nav

-----Original Message-----
From: Vipul Kumra [mailto:vipul.kumra_at_airtightnetworks.net]
Sent: Wednesday, January 04, 2006 3:04 AM
To: 'Jeff Robertson'; webappsec_at_securityfocus.com
Subject: RE: MD5 math question

Hi Jeff,

Interesting Question...

I cannot give you the exact figures but can point you to some links,
which might help you to find it yourself. The documents referred are
mathematically too technical for me to understand. It would be great if
you can tell me the answer to the question you asked, once you get it.

The links are:

http://en.wikipedia.org/wiki/MD5

http://eprint.iacr.org/2004/199.pdf

Also, it's easier for you to find two messages with the same digest then
match a specific value, which you are trying to accomplish here, because
of Birthday Paradox (Birthday Attack).

Birthday Paradox:

. How many people in one room, for over 50% chance of one person
sharing your Birthday - 253.

. How many people in one room, for over 50% chance of two persons
sharing the same birthday - 23.

. Hence, it is easier to find two messages with the same digest
then match a specific value.

Regards,
Vipul Kumra

-----Original Message-----
From: Jeff Robertson [mailto:jeff.robertson_at_digitalinsight.com]
Sent: Wednesday, January 04, 2006 6:49 AM
To: webappsec_at_securityfocus.com
Subject: MD5 math question

Assume that a password between 1 and 24 ASCII characters was stored as
an MD5 hash. No salt. What is the probability that someone cracking the
password will find not the password that the user originally chose, but
a different password that happens to collide with it? Intuitively it
seems so unlikely that you wouldn't ever expect to see it. But what is
the probability really?

------------------------------------------------------------------------
-------
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
------------------------------------------------------------------------
-------

------------------------------------------------------------------------
-------
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
------------------------------------------------------------------------
-------

-------------------------------------------------------------------------------
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
-------------------------------------------------------------------------------
Received on Jan 04 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]