Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Journal of nicholas (3034)

Monday August 18, 2008
06:11 AM

Dear lazyweb...

[ #37222 ]

Dear lazyweb...

There is some code we have. It implements part of its security by calculating a digest that is not entirely unlike MD5. Well, to be exact, it's specified as taking the Digest::MD5 source code

static void
MD5Init(MD5_CTX *ctx)
  /* Start state */
  ctx->A = 0x67452301;
  ctx->B = 0xefcdab89;
  ctx->C = 0x98badcfe;
  ctx->D = 0x10325476;

  /* message length */
  ctx->bytes_low = ctx->bytes_high = 0;

and replacing those 4 values with 4 others.

Now, I don't like repeating myself (in code at least. Real life is another matter) and I was trying to find a way to avoid having a complete patched fork of the Digest::MD5 source. That's a static C function, so I can't replace it in a subclass. I've skimmed the source, and I can't see any way to directly knobble A, B, C and D. Am I right in thinking that changing the start state in this fashion before digesting a string $glurpp is exactly equivalent to computing the (true) MD5 of a string "$prefix$glurpp", where $prefix is some fixed prefix string that I don't know yet? If yes, is there any efficient way of computing that prefix, short of brute force?

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • Since A, B, C, and D are just the four bytes of the digest, there's no way to calculate them without breaking MD5 (by brute force or otherwise).
    • Well, these days there's no need to use brute force. Just use Rainbow Tables (see Google for details). The short answer is that people calculate the MD5 checksum for vast numbers of strings, so you just need to look up the result to reverse the process.
      And, now, let's hear it for: SHA1!!!!

  • What do you gain from changing the start state over just adding some secret to the data you are md5'ing?

    Oh wait - that's what you are asking about too. :-)

      - ask


    -- ask bjoern hansen [], !try; do();

  • If my recalls on the subject are right, $prefix should be the inverse hash calculated on 0x67452301efcdab8998badcfe10325476 in *your* system (i.e. the system with your initial state).

    Now, you have a system that has more or less the same strength of MD5 (apart of course from your initial state, which might be stronger or weaker), and you're facing the problem of inverting a hash - which makes it quite difficult for you to find $prefix. As long as you find it, you know that you have to flush your system in th