This is an installment of Ten Minute Tech; where I pick a technology related subject and then write a paragraph or two about what I know. I then pick and read a reference article related to the subject and then write another paragraph or two about what I learned. This edition’s topic is about MD5 (Message-Digest algorithm 5).

Before

MD5 is a form of one way encryption; sometimes called a hash. Basically it a way to take an existing amount of data (for example a user’s password) and scrambling it such that it could not be unscrambled. Well, given today’s fastest computing power it would take many years to decrypt.

A user password for a website would be a great example. Let’s say you register a user account for a website and they take and keep a password of your choosing. They are going to be storing this password somewhere. Now it would be more secure for them to store the md5 version of you password. They could always convert the password you provide at the login prompt to compare it to the stored encrypted version; however if someone was able to hack into their user database all they would see is an MD5 version of your password and would never be able to use that to login as you.

It is also used in email, to verify that the email a person receives is the same as was sent by the sender. I this case the sender’s email client would send the message and an md5 version of the message. The recipient’s email client would run an MD5 of the message that it received and compare it to the md5 string that was sent. It would help verify that the message was not tampered with or corrupted en route.

Article: MD5 (Message-Digest algorithm 5)

After

After reading the article, I have learned that the MD5 algorithm is based on bit rotation (the bits of the original content is shifted to the left at algorithmic intervals). However I have learned that the security level of the MD5 algorithm in truth is not that high. In that there have been very efficient algorithms developed that can decrypt an MD5 hash in less than hour using average computing power. Also many lookup tables have been developed to shorten the decryption process.

There are a few methods to improve the level of security. One is that you can add what is called a salt, which is some predetermined data that is added to further obscure the original data. A second method is that the MD5 algorithm could be performed a number of times (with or without salts).

However, MD5 is widely used to offer some basic protection to passwords; but it’s primary function anymore is to help ensure the validity of a file (similar to my email example). They can be generated for files that are transfered over a network and then used to ensure the the transfered copy is the same as the original. You will see this a lot on the web with large downloadable files.

Here is some interesting follow up reading on why MD5 is not that secure and how it can be broken.
http://en.wikipedia.org/wiki/Rainbow_table
http://en.wikipedia.org/wiki/Birthday_attack