MD5 crack and passwords

To: debian-security@lists.debian.org
Subject: MD5 crack and passwords
From: Duncan Simpson <duncan@commercialuk.com>
Date: 24 Aug 2004 20:34:48 +0100
Message-id: <[🔎] 1093376088.622.495.camel@duncan>

It is not always enough or required to find something that has the right
hash value. With windows a modified client can authentication just by
knowing the hash value (and there is no salt). [Windows does not use
MD5, but that is beside the point.]

What I have implemented on the web requires knowledge of a RSA private
key, like NIS+. The normal way to get this is to compute MD5 of the
password and salt, and use this to decrypt the server's encrypted
version. Using an inverse MD5 genie to attack this scheme seems a little
silly. You do not need to be authenticating over an insecure network to
implement this but it helps :-)

It is perhaps worth noting that the two public byte sequences are *very*
similar, so it might be possible to do this trick within the limits of a
trojanised binary. Without more information nobody can say.

Reply to:

Prev by Date: Re: MD5 collisions found - alternative?
Next by Date: Re: MD5 collisions found - alternative?
Previous by thread: Abwesenheit
Next by thread: LVM2 - pvcreate error
Index(es):
- Date
- Thread