Faulty using of MD5 in web applications
22:43 13.08.2010This is English version of my Faulty using of MD5 in web applications article.
Cryptographic algorithm MD5 (Message-Digest algorithm 5), which designed for hash creation, is widely used in programming, particularly in developing of web applications, as security tool. Besides using it for hashing of passwords, MD5 is also using for other tasks which concern security (about which will be going in this article). E.g. for generating of passwords at installation or creating of new accounts, or at creating of random strings for names of files or folders.
At using of MD5 algorithm for security purposes its faulty using is possible, which will lead to decreasing of security of web applications and to appearing of vulnerabilities in them. These defects of using of MD5 algorithm I called MD5-string attack. In 2007-2008 I found two such cases, which concern WordPress (other web applications also could have such vulnerabilities).
As I already mentioned in 2008 - output alphabet of MD5 algorithm has 16 chars. So at using of e.g. function md5 (in PHP), at its output you’ll receive a string which consists of 16 chars of md5-alphabet. And at using of short string, its reliability will come out small, if to use this string for safety mechanisms (because it can be picked up relatively easy).
The number of possible combinations depending on length of md5-string:
16^1 = 16
16^2 = 256
16^3 = 4096
16^4 = 65536
16^5 = 1048576
16^6 = 16777216
16^7 = 268435456
Only at length of md5-string in 7 chars, its reliability will be acceptable (at using for safety mechanisms). If length of md5-string is less then 7 chars, then it can be picked up relatively quickly.
Examples of MD5-string attacks.
1. Using of md5-strings for creating of passwords.
As I wrote regarding Weak Password vulnerability in WordPress, in this engine (in versions WordPress 2.0.x and potentially up to 2.3.3 inclusive), the weak password was set at installation.
It consists from 6 chars of md5-alphabet. And because we have at output of function md5 the alphabet in 16 chars, then this password has 16777216 of possible combinations. And with bruteforce it can be picked up relatively quickly.
2. Using of md5-strings as path to important resources.
As I wrote regarding Information Leakage and Full path disclosure vulnerabilities in WordPress, in plugin WordPress Database Backup the function md5 is using for creating of the folder for backups.
Name of the folder looks like “backup-xxxxx” - it’s “backup-” and 5 chars of md5-alphabet. And it’s just 1048576 of possible combinations. Which can be picked up relatively quickly.
So at using of MD5 algorithm for safety mechanisms in web applications it’s needed to consider its alphabet. Because in case when short md5-string is using for creating of password (as in WP), or for name of the folder with backups of DB (as in plugin WordPress Database Backup), then it can be bruteforced relatively quickly.
P.S.
As showed my researches of work of different hash-functions (in addition to md5), in result of work of such hash-functions as gost, lm, md4, mysql323, mysql411, ntlm, ripemd128, ripemd160, ripemd256, ripemd320, sha1, sha224, sha256, sha384, sha512, tiger128_3, tiger128_4, tiger160_3, tiger160_4, tiger192_3, tiger192_4 and whirlpool the string results, which also is hexadecimal number (as in md5). So this string also has alphabet from 16 chars. And so all warnings regarding the length of string in function md5 (at using this string for safety mechanisms) in equal degree concern to these functions.
Неділя, 08:35 15.08.2010
I think you’re spot on in this. The use of an **abbreviated** MD5 as a keystone to any form of secure data is laughably insecure, and web developers should take not that the level of protection gained by this method is abysmally small, within the realm of “security by weak obscurity.”
Неділя, 15:28 15.08.2010
Shawn
You concluded very exactly - using of “abbreviated” MD5 is insecure. In my artcile I told not about that it completely insecure, but that depending on some parameters it can be - such as length of used md5-string.
In the article I wrote about of using md5 for generating strings (random strings) for security purposes. And as I showed in my examples, small length of md5-string is very insecure, but I stated that using of large length of md5-string (from 7 till 32 chars) can give enough reliability (but not less then 7 chars).
Here are some examples of using md5-strings with sufficient length for security purposes. From WP 2.0.3 (in 2006) there are anti-CSRF tokens in WP and md5 is using for making random strings for tokens. The 10 chars md5-string is using, so it gives 16^10 = 1099511627776 of possible combinations (so it’s reliable enough). In Drupal (as I checked in 6.x versions) the full length of md5 (32 chars) is using for anti-CSRF tokens, which gives 16^32 of possible combinations (so it’s indeed reliable). So developers need to draw attention on md5 or other hash functions which they are using for security purposes and use them wisely.
Середа, 21:02 18.08.2010
I’ve added to the article the information about testing of different hash-functions (which I’ve conducted with using of service rehash.dustinfineout.com).