February, 2010 - String Function Blog

MD5 is one of a number of solutions to providing security to static data elements. It is simply defined as a fixed-length 128-bit hexadecimal string derived as a function of the hash-generating program that is a representation of a plain-text string. Any computer language with string function manipulation can be used as an MD5 encoder or MD5 converter, albeit some are more efficient than others in the implementation. It is most often seen as a callable MD5 function.

Both hexadecimal and Base64 functions are used routinely to encode and decode – often called MD5 encryption and MD5 decryption – the content of the Message Digest (MD). MD5 was the fifth iteration of the concept, hence the suffix number. It replaced MD4 which was shown to have some functional vulnerabilities and MD5 algorithm was subsequently replaced with the SHA-series of hashing algorithms for similar reasons. Try our sha1 converter.

Decoding an MD5 hash without knowing the original value of the encoded string is not totally accurate, there are some values that may have a higher degree of certainty because they may form recognizable elements, such as existing words, using a dictionary approach to look-up the hash and compare with known-existing values. Some MD5 reverse look-up databases contain millions of hashes and their corresponding decoded values. This is generally considered the easiest method as it can be executed in mere fractions of a second. A second method uses a more brute-force approach by using tables – commonly known as “rainbow tables” – to analyze the encoded MD5 elements. Neither approach has 100% certainty of successful decoding, however, the possibility that it might has caused MD5 to be identified as technically insecure by National Security Agency (NSA) standards.

The MD5 reverse lookup database I use is located here: http://md5-decrypter.com/

The primary uses of the MD5 hash are for data integrity checks and generating MD5 checksums to ensure that data, such as a program or passwords, have the same content as the original. MD5 secure applications were stress-tested and found to have flaws known as “collisions,” where identical hash contents can be generated which do not have the original content. Several methodologies were employed in the attempt to salvage security, including the introduction of a “seed” – known as an MD5 salt – or multiple-pass encryption. Neither method provides sufficient protection from the feasibility of discovery.

To calculate an MD5 hash is a relatively simple process. There are a number of algorithms for various computer languages and scripts available online, either as source or an online MD5 hash calculator. Tools exist to calculate feasible content from an MD5 string or to generate an MD5 hash from a plain-text string. Most use the correct padding characters appended to a string, however, there are some scripts that may require some tweaking to be fully-compliant with accepted standards.

One of the more elegant examples of well-documented code in javascript: JavaScript implementation of the RSA Data Security

This is an example of an MD5 construct:
Plain-text data: This is a test
MD5 encrypted representation: ce114e4501d2f4e2dcea3e17b546f339
Try encoding this with our online md5 encoder

Unless this specific MD5 representation exists in an MD5 database, it is nearly impossible to derive with certainty the original plain-text data. For example, one of the most popular and insecure passwords is “secret”. The MD5 representation of “secret” is:

5ebe2294ecd0e0f08eab7690d2a6ee69

Using a commonly available MD5 reverse look-up database, it is easy to find this particular password. This is one of the more compelling reasons to have strong passwords with mixed case and embedded numeric or symbols unlikely to be guessed by a casual search.

MD5 is still in use today by many commercial businesses, however, it is with the full knowledge that it is not completely secure and there are better alternatives available. MD5 has been deprecated for US Government use and replaced by the NSA-approved SHA2 algorithms for protection of sensitive unclassified information – for example, documents with Social Security Numbers present. However, even SHA2 can be cracked and the next iteration SHA3 is currently under development.