Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

MD5 Hashing 3

Status
Not open for further replies.
webmigit

webmigit

Programmer
Aug 3, 2001
2,027
US
I need to hash a password before it is transmitted over the internet.. I understand that hashing is irreversible.. And I don't want it to be reversed..

AS I understand it, MD5 hashing is a standard.. IE if you MD5 hash a string in visual basic, you get the same result as if you did it in ASP or PHP or Cold Fusion and that's exactly what I want.. My passwords are hashed by a scripting language and I want to keep it that way but I want to write a companion program to my site.

ALFII.com
---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.
 
Sort by date Sort by votes
Hashing isn't reversible in the sense of being able to reliably extract the original submitted string. I believe, however, that from a given hash one can construct a sequence of bytes which, when passed through the hashing algorithm, yield that same hash. If the input is limited to certain ranges of ASCII characters the job does become more difficult.

Anyway, did you have a question? :)
 
Upvote 0 Downvote
Yes, basically, am I right about being a cross platform standard? And where can I get VB 5 code for hashing..

A lot of posts on here say hashing isn't for encryption but I thought hashing for encryption was a standard practice because it isn't decryptable.. the only way to verify a match is to hash a "challenge" value.. you know like hash a password when its created and then match the hash when the user tries to login?

I've heard it referred to as a Challenge Hash.

ALFII.com
---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.
 
Upvote 0 Downvote
Hashing is not encryption because one cannot decrypt it to a unique result (the original input). That is, don't confuse undecryptable (hashing) with difficult to decrypt (strong encryption)--encryption transforms information, which can be transformed in reverse. Hashing throws away information, which can never be recovered.

It doesn't matter what program is doing the calculation, if you use a certain hashing algorithm then you're using it.

Someone else who knows more will have to tell you about some VB for hashing... have you searched the web?

What I said about crafting an input string that will hash to a desired value could be a difficult task. I would need to play with MD5 hashing to know for sure... hehe.
 
Upvote 0 Downvote
oh, theoretically, you can't..

And even in lesser theory, you'd need a few CRAYs on your side for a few decades to successfully deHash a hashed string.. which basically goes something like this..

Does string 1 hash to x value?
Does string 2 hash to x value?
... years later ...
Does string 48987216492 hash to x value?

etc..

And that's strong enough encryption for me :)

And even better for the defense of hashing is that theoretically two strings can't hash to the same value but in document hashing, if it took years to dehash.. you'd never actually know if your match was the original hash.. or a fluke.

So like you said, hashing loses irreplacable data which makes it ideal for security.

ALFII.com
---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.
 
Upvote 0 Downvote
If you know the string's approximate length and it is short, the task is smaller. Maybe not small enough, though.

I would say that of course two strings can hash to the same value. If the hash is shorter than the input strings it is required. However, any two strings which did hash to the same value would be entirely different, which is the whole point of hashing.

To describe it, hashing is remapping a multidimensional set of points onto a smaller set where the members of the first set that end up sharing a value in the smaller set are originally very far from each other. That sentence sounds like nonsense, doesn't it? I wish you could see the picture in my mind, because then it would be perfectly clear!!!
 
Upvote 0 Downvote
A quick search on this forum for MD5 will yield several code examples. Amongst them is strongm's code in thread222-535644 where he uses MD5 hashing as part of a full encrypt/decrypt process

________________________________________________________________
If you want to get the best response to a question, please check out FAQ222-2244 first

'If we're supposed to work in Hex, why have we only got A fingers?'
 
Upvote 0 Downvote
There are a few cases.. like this one...

Code: 
Public Function vbEncrypt(strText As String, strPassword As String) As Byte([b])[/b]

and the run trips on the bold ) with the message "Expected: End of statement."

I'd seen that thread and I'd seen many threads referencing it so I'm not sure what I AM doing wrong but it is not working..

But thanks for the input. I'm glad to see confidence in strongm's post.. I've gotten help from strongm in the past and always got helpful answers.

ALFII.com
---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.
 
Upvote 0 Downvote
webmigit, it sounds like you're using VB5... I think that returning arrays from functions is a VB6 thingybob.
 
Upvote 0 Downvote
You're right.. I removed the as byte thing and got some functionality.. ok here's the thing.. But there's some stuff about displayable characters and bleah..

I write in cold fusion and I've got a member system in cold fusion and I need to hit a member specific page every fifteen minutes or so, so the user has to be logged in.. I encrypted my passwords using hash so I need to hash them for this program..

Yes, I know that I can send them to the server and hash there but that is really really really not preferrable as what that can do to security.

Also I'd want to store the username and password in the registry so when the user starts the program the data is prefilled.

ALFII.com
---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.
 
Upvote 0 Downvote
>But there's some stuff about displayable characters and bleah

As I said in that thread, it was a resubmission from an earlier (deleted) thread, and therefore did not onclude all the descriptive text.

The stuff about 'displayable characters' is simply to do with the fact that the encrypted results a) use the entire value range of the a byte, many of of which are not displayable characters; and b) obviously cannot therefore be unicode...

However, this is actually irrelevant, as the only bit you want from that is the MD5 hash. I'll do the extraction for you, and also provide an alternative technique:
Code: 
[COLOR=blue]
Option Explicit
' =====================================================================================
' All declares necessary for MS implementation of RSA MD5<function> in cryptdll library
' Requires XP/2000/2003
Private Type MD5_CTX
  i(1 To 2) As Long
  buf(1 To 4) As Long
  inp(1 To 64) As Byte
  digest(1 To 16) As Byte
End Type

Private Declare Sub MD5Init Lib "cryptdll" (Context As MD5_CTX)
Private Declare Sub MD5Update Lib "cryptdll" (Context As MD5_CTX, ByVal strInput As String, ByVal lLen As Long)
Private Declare Sub MD5Final Lib "cryptdll" (Context As MD5_CTX)
' =====================================================================================

' =====================================================================================
' All declares neccessary for CryptoAPI version of MD5 example
Private Const MS_DEFAULT_PROVIDER  As String = "Microsoft Base Cryptographic Provider v1.0"
Private Const PROV_RSA_FULL As Long = 1
Private Const CALG_MD5 As Long = &H8003&
Private Const CRYPT_VERIFYCONTEXT = &HF0000000
Private Const HP_HASHVAL As Long = 2
Private Declare Function CryptAcquireContext Lib "advapi32.dll" Alias "CryptAcquireContextA" (ByRef phProv As Long, ByVal pszContainer As String, ByVal pszProvider As String, ByVal dwProvType As Long, ByVal dwFlags As Long) As Long
Private Declare Function CryptReleaseContext Lib "advapi32.dll" (ByVal hProv As Long, ByVal dwFlags As Long) As Long
Private Declare Function CryptCreateHash Lib "advapi32.dll" (ByVal hProv As Long, ByVal Algid As Long, ByVal hKey As Long, ByVal dwFlags As Long, ByRef phHash As Long) As Long
Private Declare Function CryptHashData Lib "advapi32.dll" (ByVal hHash As Long, ByVal pbData As String, ByVal dwDataLen As Long, ByVal dwFlags As Long) As Long
Private Declare Function CryptGetHashParam Lib "advapi32.dll" (ByVal hHash As Long, ByVal dwParam As Long, ByVal pbData As String, pdwDataLen As Long, ByVal dwFlags As Long) As Long
' =====================================================================================

Private Sub Command1_Click()
    Debug.Print HashVersion1("secret")
    Debug.Print HashVersion2("secret")
End Sub

' RSA MD5 Variant
Private Function HashVersion1(ByVal strPassword As String) As String
    Dim myContext As MD5_CTX
    
    MD5Init myContext
    MD5Update myContext, strPassword, Len(strPassword)
    MD5Final myContext
    
    HashVersion1 = StrConv(myContext.digest, vbUnicode)
End Function


' CryptoAPI variant
' Lifted from my encryption/decryption code in thread
Private Function HashVersion2(ByVal strPassword As String) As String
    Dim hProv As Long
    Dim strprovider As String
    Dim hHash As Long
    Dim strHash As String
        
    ' Grab an RSA-based cryptoapi context using Microsoft's base provider
    strprovider = MS_DEFAULT_PROVIDER & vbNullChar
    Call CryptAcquireContext(hProv, vbNullString, strprovider, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) ' final param could be  0&
    
    ' Generate a hash of the password
    Call CryptCreateHash(hProv, CALG_MD5, 0, 0, hHash)
    Call CryptHashData(hHash, strPassword, Len(strPassword), 0)

    strHash = Space(16) ' We're shortcutting, since we know we are using MD5 we know we are getting 16 bytes back
    Call CryptGetHashParam(hHash, HP_HASHVAL, strHash, 16, 0)
    HashVersion2 = strHash
    CryptReleaseContext hProv, 0&
End Function
[/color]
And finally:
>I would say that of course two strings can hash to the same value

The authors and scrutineers of the MD5 algorithm would argue that the possibility of finding two strings that hash to the same value is vanishingly remote...
 
Upvote 0 Downvote
Thanks much!

That hashes.. its not giving me the result I want.. I was hoping it would hash to the same result as cold fusion's #hash()#.. But at least now I'm much closer.

ALFII.com
---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.
 
Upvote 0 Downvote
There was distributed.net, which broke a single RC5-64 hash (took 1757 days with thousands of computers working on it). More recently, there's which now qualifies as a supercomputer (exceeds 412 gflops last I heard), and has a $10,000 bounty paid to the person/team who discovers a series of bytes which will match their hash.

webmigit -
There is also SHA-1 (Secure Hash Algorithm 1), which does the same thing as MD5 (generate a hash value from a data source with a minimal chance of collisions). Of course, it's a different algorithm entirely, so you'd need to coordinate your efforts with the other end of your communications channel (IOW, you need to use the same algorithm as they are).

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
 
Upvote 0 Downvote
It is probably worth pointing out that the CryptoAPI supports a number of different hashing algorithms. If we just stick with the base Microsoft provider service we can use:

MD2
MD4
MD5
SHA/SHA1
 
Upvote 0 Downvote
Out of curiosity and interest I've been working up the MD5 algorithm in VB, based on RFC 1321 The MD5 Message-Digest Algorithm.

It's taking some time to digest (har). Anyway, I have a question about the main computation:

Code: 
a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s

What happens when the added values exceed the storage capacity of a 32-bit unsigned long? Do the extra bits get lopped, in essence performing a modulo 2^32? I am not familiar enough with C to find it quickly in the example code.

I could probably eventually figure it out but I'm taking a break for tonight and I thought someone else might like to look at the RFC in the meantime.

-E²
 
Upvote 0 Downvote

Check out PSC, there is a very close C to VB example (the C you have and is not in the project but it is laid out very similar).

Good Luck

 
Upvote 0 Downvote
Here's the problem I'm having..

I can hash any string I want on authorize.net and hash the same string and get the same hash result.. So I'm thinking I should be able to get the same value from Visual Basic 5, using CALG_MD5.. And though I've tried and tried, the string I always get back has a wild array of characters whereas authorize.net, my site, and a js implementation that I occasionally check things with return me exactly what I want.. They all hash to the same value. And the value includes only letters and numbers.

Is this aimless wandering or is there a solution? Should I be able to hash in both medium to the same value..?

ALFII.com
---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.
 
Upvote 0 Downvote

So what you are saying is that on your web site you can give it two different strings and both strings (that are different) return the same value? Well thats wrong. Search this site... ahhh see strongm's code above. Then again if what you are saying that what you get back from your web site is different than strongm's code above then ... are you sure that you are working with the same hash algorythm?

Good Luck

 
Upvote 0 Downvote
Cold Fusion works with MD5 Hash.. it clearly states that in the documentation as does authorize.net..

What I'm saying.. let's say I have the value tek..

"tek" --> site hash via Cf = hashed string
"tek" --> authorize.net hash = same hashed string
"tek" --> js implementation = same hashed string
"any_other_letters_or_case" --> any method = different hashed string
"tek" --> visual basic CALG_MD5 --> different from site, authrize.net or js implementation..

tek is just a sample.. I can't get vb to match hashes of any string.

ALFII.com
---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.
 
Upvote 0 Downvote
webmigit said:
...a wild array of characters

...only letters and numbers.
Click to expand...

webmigit,

Is it possible the VB stuff is returning a string and the others are returning hexadecimal?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jcaulder
  • Locked
  • Question
MD5 encryption returns different value on compact framework
Replies
2
Views
78
jcaulder
jcaulder
Dimitrie1
  • Locked
  • Question
hashing
Replies
0
Views
29
Dimitrie1
Dimitrie1
jadoogar
  • Locked
  • Question
Hashing/ encrypted value
Replies
1
Views
31
johnwm
johnwm
barryna
  • Locked
  • Question
MD5 hash
Replies
5
Views
35
barryna
barryna
elibb
  • Locked
  • Question
MD5 encryption 15
2
Replies
30
Views
369
strongm
strongm

Part and Inventory Search

Sponsor

Back
Top