|
|
| Author |
Message |
| fuzz |
This post is not being displayed .
|
fuzz
World Chat Champion
Joined: 24 Mar 2004
Karma :  
|
 Posted: 17:06 - 14 Mar 2006  Post subject: Hacking challenges/Encryption query |
 |
|
I've been working through the challenges set on https://www.hack4u.org and have come across one that uses MD5 encryption. Now I've decoded the MD5, but I can't figure out why you can't decode the hash using the same method to encode. All of the MD5 encoders say "You cannot decode MD5." I have found a way around it, but I was wondering why you would have a 'secure' algorithm that cannot be reversed. Surely you need to decode it to understand it, otherwise what's the point?
____________________
https://www.bikepics.com/members/fuzzbcf/
Bikes: '99 NSR125R, '00 SV650S, K1 GSX-R600, '97 CB500, K3 SV1000S, '16 VFR800 |
|
| Back to top |
  |
You must be logged in to rate posts |
|
 |
| FreshAL |
This post is not being displayed .
|
FreshAL
Sir Crashalot
Joined: 04 Jul 2005
Karma : 
|
|
| Back to top |
 |
You must be logged in to rate posts |
|
|
| veeeffarr |
This post is not being displayed .
|
veeeffarr
Super Spammer
Joined: 22 Jul 2004
Karma :  
|
|
| Back to top |
| |
You must be logged in to rate posts |
|
|
| carvell |
This post is not being displayed .
|
carvell
Scuttler
Joined: 05 Sep 2003
Karma :
|
Posted: 17:46 - 14 Mar 2006  Post subject: Re: Hacking challenges/Encryption query |
|
|
| fuzz wrote: | I've been working through the challenges set on https://www.hack4u.org and have come across one that uses MD5 encryption. Now I've decoded the MD5, but I can't figure out why you can't decode the hash using the same method to encode. All of the MD5 encoders say "You cannot decode MD5." I have found a way around it, but I was wondering why you would have a 'secure' algorithm that cannot be reversed. Surely you need to decode it to understand it, otherwise what's the point? |
I'll try and explain.
Firstly, it's not encryption, it's a hash. BCF uses it infact, to store your passwords.
When you sign up, a MD5 hash is generated, which is unique to any possible password, this MD5 hash is then stored in a database. When you want to log in, it gets the MD5 hash of the password you have typed, if this matches the stored hash it lets you in, if it doesn't it doesn't.
You see, there's no way you would ever need to decode it. There's no way Korn could know our passwords, they are all stored as a MD5 hash and all it does when you try to log in is compare these.
An example of a very simple hash is to say add all the numbers up. Say your password was "1234", then the hash might be 10. If you password was "5632" then the hash might be 16. These hashes are what is stored in the database.
If I said to you "the hash is 16", would you be able to tell me my 4 digit code? Of course you wouldn't - there's no way you can know exactly what I've typed in. As a test, the hash for the hashing algorithm I've decribed above is 12, I'll leave it to you to tell me my 4 digit pin. MD5 is a hell of a lot harder than that.
You haven't cracked MD5, you haven't. There's no way you can do it apart from brute force which takes weeks and years on very fast computers.
____________________
Yamaha TDM 850 |
|
| Back to top |
| |
You must be logged in to rate posts |
|
|
| fuzz |
This post is not being displayed .
|
fuzz
World Chat Champion
Joined: 24 Mar 2004
Karma :
|
| Posted: 23:04 - 14 Mar 2006 Post subject: |
|
|
Right, I understand why you wouldn't need to decrypt it if it compares hashes for verification, but I disagree with the fact that it is un crackable.
For instance:
With three different websites that offer MD5 encryption, the string bcf became 28cb510090e7e926daa92745a8b02362. Another website offered decryption of the hash and returned the original string, bcf.
Also, isn't there something referred to as collision, which occurs when two different strings return the same hash?
____________________
https://www.bikepics.com/members/fuzzbcf/
Bikes: '99 NSR125R, '00 SV650S, K1 GSX-R600, '97 CB500, K3 SV1000S, '16 VFR800 |
|
| Back to top |
| |
You must be logged in to rate posts |
|
|
| carvell |
This post is not being displayed .
|
carvell
Scuttler
Joined: 05 Sep 2003
Karma :
|
|
| Back to top |
| |
You must be logged in to rate posts |
|
|
| fuzz |
This post is not being displayed .
|
fuzz
World Chat Champion
Joined: 24 Mar 2004
Karma :
|
| Posted: 09:12 - 15 Mar 2006 Post subject: |
|
|
No I can't crack that. I believe these websites work by storing a database of hashes generated using the algorithm. You enter the hash, it checks the database, and returns the original string that created it. So it is like brute force, only it stores every hash it creates so that it does not need to crack it every time. Complex/long strings might be secure, but simple/short strings can be found using this method. That's a lesson to everyone then - dont use dictionary words for your password!
____________________
https://www.bikepics.com/members/fuzzbcf/
Bikes: '99 NSR125R, '00 SV650S, K1 GSX-R600, '97 CB500, K3 SV1000S, '16 VFR800 |
|
| Back to top |
| |
You must be logged in to rate posts |
|
|
| Suzuki |
This post is not being displayed .
|
Suzuki
Roger
Joined: 03 May 2005
Karma : 
|
| Posted: 09:59 - 15 Mar 2006 Post subject: |
|
|
If you do want to use some secure encryption, but want to be able to decrypt it at some point, you should look into a RSA and its equivalents.
They use a public and private key pair to secure the data.
Everybody creates a keypair. You give out the public key, and keep the private key to yourself.
I want to sent a message to Fuzz, so I encrypt it using his public key. The only way to read that message is to decrypt it using his private key. So only Fuzz can read it.
Conversley, Fuzz wants to send a message and prove that it was him that sent it, and that the message hasn't been tampered with.
So, he writes his message, and then creates a *HASH* of his message. This hash is then encrypted using Fuzz's PRIVATE key. Now, anybody who reads the message can confirm that it's genuinely from Fuzz, and that the message contents hasn't been altered.
They decrypt the hash using Fuzz's PUBLIC key, and then compare the decrypted hash to their own generated hash of the message itself. If they match, the message is untouched and definitely from Fuzz.
Most email clients will allow you to use this functionality.
Have a look at PGP (or the free version, GPG, which might now be OpenPGP).
Enigmail is a plugin for Thunderbird which will let you encrypt/decrypt messages in this manner. 
____________________
<Simple> no I'm shaven Jon 
<Simple> it is a big enough hole.. I'll leave it now
Ride: 1999 Suzuki GSXR600 (yellow/black) IRC: Stats - Relationship Map |
|
| Back to top |
 |
You must be logged in to rate posts |
|
|
| fuzz |
This post is not being displayed .
|
fuzz
World Chat Champion
Joined: 24 Mar 2004
Karma :
|
| Posted: 11:24 - 15 Mar 2006 Post subject: |
|
|
I need some help now finding a password. The only clue I have is that it is weak and 'try the defaults to be on your way.'
I've tried the obvious ones like admin, root, default, password. What other passwords might you get as a default (like on a router or something)?
____________________
https://www.bikepics.com/members/fuzzbcf/
Bikes: '99 NSR125R, '00 SV650S, K1 GSX-R600, '97 CB500, K3 SV1000S, '16 VFR800 |
|
| Back to top |
| |
You must be logged in to rate posts |
|
|
| Suzuki |
This post is not being displayed .
|
Suzuki
Roger
Joined: 03 May 2005
Karma :
|
|
| Back to top |
| |
You must be logged in to rate posts |
|
|
| fuzz |
This post is not being displayed .
|
fuzz
World Chat Champion
Joined: 24 Mar 2004
Karma :
|
| Posted: 14:28 - 16 Mar 2006 Post subject: |
|
|
Am I right in thinking that there are 16^32 possible permutations for the hash? That's 3.4x10^38 or 340 000 decillion. So don't feel too bad Luke, it was less than 10% 
____________________
https://www.bikepics.com/members/fuzzbcf/
Bikes: '99 NSR125R, '00 SV650S, K1 GSX-R600, '97 CB500, K3 SV1000S, '16 VFR800 |
|
| Back to top |
| |
You must be logged in to rate posts |
|
|
| Suzuki |
This post is not being displayed .
|
Suzuki
Roger
Joined: 03 May 2005
Karma :
|
|
| Back to top |
| |
You must be logged in to rate posts |
|
|
| fuzz |
This post is not being displayed .
|
fuzz
World Chat Champion
Joined: 24 Mar 2004
Karma :
|
| Posted: 14:52 - 16 Mar 2006 Post subject: |
|
|
Yes that's right, but you can't fault me on the logic 
I was thinking quickly, decillion milion, 10. It's more in the region of 0.0000000000000000000000000000001%.
It's been a long day............
____________________
https://www.bikepics.com/members/fuzzbcf/
Bikes: '99 NSR125R, '00 SV650S, K1 GSX-R600, '97 CB500, K3 SV1000S, '16 VFR800 |
|
| Back to top |
| |
You must be logged in to rate posts |
|
 |
Old Thread Alert!
The last post was made 19 years, 117 days ago. Instead of replying here, would creating a new thread be more useful? |
 |
|
|
Help & FAQs
Search BCF
Members
Groups
Events Calendar
rating
rating