I am working on this PHP project and I have many places that an md5 is being used. I have even used it many times, but still today I am unclear on what the function is doing. I realize it decrypts the value passed in but what about undoing it to get it back to the original. Maybe i am not clear about the whole process and if anyone has information about the process I would highly appreciate it
+5
A:
md5 is a hashing function
A hash function is any well-defined procedure or mathematical function that converts a large, possibly variable-sized amount of data into a small datum. The values returned by a hash function are called hash values, hash codes, hash sums, checksums or simply hashes.
Frankie
2010-08-17 17:50:20
A:
See http://en.wikipedia.org/wiki/Hash_function.
The strength of a hash function is dependent on its difficulty to reverse.
Edward Mazur
2010-08-17 17:50:58
+1
A:
MD5 does not decrypt anything. It is considered a one-way hashing algorithm. For a given input it returns a fixed length string. Additionally, for two given inputs that are fairly similar but not identical the md5 value returned will not be predictable.
Hashing is good for a lot of things, for example file verification. Although off topic, if you took a file and computed a hash for it and then sent someone a file along with a hash they could easily verify they received the file correct by hashing it themselves and then asserting their hash matches the supplied hash.
Another example would be something such as authentication on a site. After you authenticate a user, you start a session and in that session you store md5(username+time) and also store a cookie on users browser of md5(username+time) then on subsequent page requests you could check your session hash matches the cookie hash to assert the user is who they say they are. Md5 is not a good hash for this type of thing but hashing in general can help in situations such as these. sha1 would be a better hashing function for this application or even sha512.
Chris
2010-08-17 17:51:00
I'd rather use `$_SESSION` for this instead of homegrowing one. That's in turn also already backed by a cookie with a strong ID.
BalusC
2010-08-17 18:00:40
@BalusC I did say to use a session or am I misunderstanding your response?
Chris
2010-08-17 18:05:20
You don't need to create another cookie. Just store username in `$_SESSION`. The session <--> client matching is already taken care by PHP. It is already using a cookie under the hoods (the `PHPSESSID` one).
BalusC
2010-08-17 18:11:26
+4
A:
MD5 is a one way encryption hash.
It doesn't decrypt anything, rather it creates you a hash code that you can use to compare with other MD5 hashes. It used to be that if two hashes matched you could be confident that the two inputs were same. Several collisions were eventually found, followed by ways to create collisions intentionally (reducing the value of MD5 for security purposes). It's a fairly fast algorithm, so there can still be some use to it (checking for corruption during the transmission of large amounts of data, and other other places where you are may be providing other forms of protection against a true attack).
acrosman
2010-08-17 17:51:03
A:
It generates a one way hash of the input data, using the md5 algorithm
Some links:
Visage
2010-08-17 17:51:10
+1
A:
MD5 is a not encryption per se, but rather an algorithm for generating checksums. Whatever data you pass in, you will get out a hexadecimal (only 0-9 and A-F) string of fixed length. The idea is that it's very unlikely that any other data than the one you passed in will result in the same MD5 string. As the result has a fixed length while your data can be any length there will obviously be other data that results in the same MD5 string, but once again, it's very unlikely that you'd find it.
Thus, there is no way to actually "decrypt" an MD5 string. What you do is, you generate it from some data, then generate it from some other data, and compare the two MD5 strings. If they are the same, you can be quite certain (although not 100%), that the two input data are identical.
eliego
2010-08-17 17:52:52
A:
MD5 is a cryptographic hash function. Cryptographic hash functions has the special property that they generate a result based on input, but it is almost impossible to recover the original input. It's kinda an "one-way encryption". Also, by passing the same data through a cryptographic hash function you should always get the same result.
While they are not preferred for encryption, since it's one-way only, but they are very useful when storing passwords. This is because, as I said, the same input would always have the same result. This makes storing the password in plain-text, or even recoverable version of it (such as encrypted passwords) unnecessary. Instead, you would just generate a hash from the password and store it in a database. Whenever someone would try to log in, you would retrieve the hash from the database, and then generate a new hash from the password entered by the user and compare the two.
Please note that MD5 is not very secure, you should try to use some other more secure hashing function instead, such as SHA512:
<?php
$hash = hash('sha512', $data);
?>
Useful links:
Frxstrem
2010-08-17 18:21:06