mIRC Home    About    Download    Register    News    Help

Print Thread
$md6 implementation #216438 15/11/09 12:16 AM
Joined: Feb 2003
Posts: 307
T
tontito Offline OP
Fjord artisan
OP Offline
Fjord artisan
T
Joined: Feb 2003
Posts: 307
Hello,

I am suggesting the implementation of md6 in mirc.
Some scripts use md5 to secure password related data and most of us know it isn't that secure anymore.

thanks

Re: $md6 implementation [Re: tontito] #216442 15/11/09 01:38 AM
Joined: Dec 2002
Posts: 2,962
S
starbucks_mafia Offline
Hoopy frood
Offline
Hoopy frood
S
Joined: Dec 2002
Posts: 2,962
Ron Rivest (lead designer of MD6) has already expressed concerns about potential issues with MD6. It's probably not a wise choice for a stable hash algorithm. The SHA-2 family would be the most obvious choice for now.


Spelling mistakes, grammatical errors, and stupid comments are intentional.
Re: $md6 implementation [Re: starbucks_mafia] #216448 15/11/09 07:27 AM
Joined: Jul 2008
Posts: 236
S
s00p Offline
Fjord artisan
Offline
Fjord artisan
S
Joined: Jul 2008
Posts: 236
I agree with starbucks_mafia.

I've studied MD5 and other message digest algorithms extensively, and the main problems they all face are:
1. by nature, collisions. These can only be solved by prefixing known collisions as they are found, and that's a damned good solution.
2. by nature, distribution. These can't be solved, even if you introduce a salt string. The more machines you have working on a hash, the faster it can be cracked. The more hashes you have of a single password (with salt strings), the faster it can be cracked.

There is no perfect message digest algorithm, they're all flawed in the same ways. The difference is the amount of time it takes to generate a hash may be larger for one algorithm than another. In general, when you're talking about an exhaustive bruteforce against a digest that uses a particular algorithm, if you have a large distribution then it won't take long to find a collision even if the plaintext is above 64 bytes in length. Your most secure option is to use a salt string that is >= 64 bytes. If that's not secure enough, use another salt string that is >= 64 bytes and MD5 it twice.

If your algorithm relies on MD6, use some MD6 source code to compile your own DLL and paste the source here, Khaled might be more than happy to implement $md6 if he has something easy to go on.