[BNM] MD5 quicky

[Dominic Mitchell]

On Mon, Jan 08, 2007 at 11:45:33AM +0000, Wayne Douglas wrote:
> Hey
> 
> Does anyone here have an understanding of MD5 who can spare a minute or two
> to explain to me what it's all about.

It's basically a checksum of some larger object.  The idea is you run a
magic function ("md5") over a large piece of data and get a smaller
number out.  The magic is that you never[1] get the same number for
different pieces of data.

> I have a security token I need to validate and its comming over as an MD5
> hash. I can see how to [they] create the hash, I just don't see what I'm
> meant to do to validate it. I'm using .NET but don't think that should
> matter as it's only the understanding of MD5 bit that's buggered me.

Usually, you're meant to run the MD5 function over the stored piece of
data you have (e.g. a password) and verify that it produces the same MD5
hash that you've been given.  Doing things this way means you can log
people in without sending the password in the clear over the network.

This situation isn't without it's problems, though.  It's vulnerable to
a replay attack.  If you want more info about the kinds of problems,
look into "HTTP Digest Authentication"[2].

Gerneally, MD5 isn't as secure as it used to be, thanks to the march of
moore's law and cryptographers who like to play.  Have a look at the
wikipedia entry[3] for more details.

-Dom

[1]  Or near as dammit.

[2]  http://en.wikipedia.org/wiki/Digest_access_authentication

[3]  http://en.wikipedia.org/wiki/MD5