MD5 and SHA512 sizes and security

Question

To my knowledge if you talk about md5 it can store up to 32 characters. I'm aware that if you exceed the 32 characters it will still hash it perfectly fine but it might actually be the same hash as md5( 'a' ) though, unlikely.

Isn't it potentially very dangerous and insecure then to use a (md5) salt in md5 or even not checking for the input length of the password + salt?

Example 1:

$pass = md5( 'this is a password' );
$salt = md5( 'this is a salt' );

// Will exceed 32 range and might therefore equal md5( 'a' ) -
// if so this will pass an authorization such as login
md5( $pass . $salt );

Example 2:

// 32 character password
$pass = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa';
$salt = 'salt';

// Will also exceed 32 range due to no length check and might equal md5( 'a' )
md5( $pass . $salt );

Should you not do:

$pass = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa';
$salt = 'salt';

if ( strlen( $pass ) + strlen( $salt ) > 32 ) 
  exit;

else
  md5( $pass . $salt );

Also, where is the limit for sha512? 512 characters?

your underlying assumption is simply wrong. it produces a "32-character hexadecimal number." that has nothing to do with the length of the input. its often used to produce a hash of a file that could be ANY length — , Sep 16 '14 at 00:53
@Dagon Care to explain? `A-F` and `0-9` can only generate enough `hashes` for `32 characters`. So, if you exceed `32 characters` won't it use a hash that will match something within the `32 characters`? — KaekeaSchmear, Sep 16 '14 at 00:56
@user2864740 Let me rephrase the question: How long can the input be before it will start using identical hashes within that range? — KaekeaSchmear, Sep 16 '14 at 00:59
@user286470 Hm. I see. So, there is always possibilities on duplicates because 32 ^ 255 is of course much larger than 32 ^ 16. But it is however true that if you generate 32 ^ 16.x MD5 hashes that you have a 100% chance of a duplicate, Correct? — KaekeaSchmear, Sep 16 '14 at 01:12
@user2864740 I would obviously accept as answer but you commented =( — KaekeaSchmear, Sep 16 '14 at 01:16

score 7 · Accepted Answer · edited Jun 20 '20 at 09:12

Preface:

Neither MD5 nor SHA-x are suitable for password hashes; ignoring the fact MD5 is cryptographically broken and should be phased out in general, both hash families are too fast and are not suited for this problem - This is because the hashes are too fast, and humans often choose weak/poor password which severely compromises the domain, which makes brute-forcing MD5/SHA-x passwords practical.

For password hashing, use bcrypt instead (via crypt), which is standard in any self-respecting PHP build. Other options, not supplied standard in PHP, are scrypt and even the more vulnerable PBKDF2.

The best thing to do is not re-invent the wheel but to use an existing/tested library which will use a valid hash algorithm (ie. bcrypt), and mitigate issues with incorrect database access, authentication testing, salt generation, etc. As of PHP 5.5+ the password_hash and password_verify functions can be used, although it is still only part of the system.

Response:

The output (range) of MD5 is 32 hex characters representing 128 bits; the input (domain) is effectively unbounded. For SHA-512 the values are 128 characters / 512 bits, respectively. (Note the number of bits of effective security considered is less than the actual number of bits in the range.)

Since neither MD5 nor SHA-x are perfect hash functions then there will be collisions over the domain even when it is less than the range - but the range is so huge (and a valid cryto-hash has certain properties) that it just doesn't matter.

That is, the resulting hashes are not guaranteed unique, but rather (and especially with more bits) it is extremely improbable that a duplicate will be accidentally (or even purposefully) found. The expected collision rate can be estimated by the Birthday Problem; the Pigeon Hole principle also applies, but the chance of a duplicate is so infinitesimally close to 100% before this, such isn't very applicable.

However, this is not a problem in a proper design. This is because cryptographic hash functions are designed with certain properties (which also explains why MD5 is not suitable in such a role):

The ideal cryptographic hash function has four main properties:

it is easy to compute the hash value for any given message

it is infeasible to generate a message that has a given hash

it is infeasible to modify a message without changing the hash

it is infeasible to find two different messages with the same hash

Do keep in mind that as of yet there have been no [reported] found collisions on SHA-1/2/3. This is because they are still suitable cryptographic hash functions. (See duskwoof's comment about SHA-1.)

Also, consider that there are less atoms in the observable universe (10^80 or ~2^280) than the range of a SHA-512 hash! This is part of the reason why/how cryptographic hash functions are considered secure.

SHA-1 has been considered weak since 2005. No collisions are currently known, but [theoretical attacks have been discovered](https://www.schneier.com/blog/archives/2005/02/sha1_broken.html) that significantly reduce its collision resistance (from 2^80 to 2^69 operations). — , Sep 16 '14 at 01:39
@duskwuff That is a good point. I've left it still categorized as "good" but added a note about referring to your comment. Feel free to edit the post (or demand I make more changes) as warranted. — user2864740, Sep 16 '14 at 01:42
However, as for password hashing, you would rather look for a pre-image attack. — Gumbo, Sep 16 '14 at 05:26
Item 4 resembles to 'find m1!=m2 such that H(m1)=H(m2)'. This is not what you’re looking for when you’re looking for a password that results in a given hash. Instead you are looking for 'find m2 such that H(m1)=H(m2) for a given H(m1)', which would be item 2. — Gumbo, Sep 16 '14 at 07:00
@Gumbo Ah, yes. I indeed focused that on two arbitrarily chosen values to match the above. I've spread the focus now. — user2864740, Sep 16 '14 at 07:05

score 0 · Answer 2 · answered Sep 16 '14 at 00:54

0

No, it's not dangerous/insecure. There's no real security requirement that two different passwords won't authenticate the same credential! In fact, you may be under the impression that MD5 will hash all of the first 2^32-1 values uniquely - in fact that is not the case.

In fact, MD5 does not "store" a unique value of any kind. There are many values that will hash to any given MD5 output.

sha2/512 has, as the name implies, 512 bits in the hash - double the length.

answered Sep 16 '14 at 00:54

BadZen

4,083
2
25
48

Which two values of the first 2^32 - 1 does MD5 hash to the same value? – President James K. Polk Sep 16 '14 at 01:40
Ha ha ha, @GregS. You're with the NSA, aren't you. :p (if you're not actually joking, the answer is: we don't know (probably. those of us who don't wear shiny suits and work someplace in Maryland, anyway)) – BadZen Sep 16 '14 at 01:43
(I think the current shortest known collision is 128 bytes) – BadZen Sep 16 '14 at 01:44

MD5 and SHA512 sizes and security

2 Answers2