##project## MD5 analysis... 3.4028236692093846346337460743177e+38 numbers

jimson

can we run a project which generate md5 value and store them in database ?
the number will start from

$a = md5('');
$b = md5($a);

so, we will have a database that store all the md5 values and what values that generated that md5 values.

perhaps once we have such database, we can charge those (government agencies or ... securities agencies) who wanna use.

how u peeps think... ?

jimson

i will post a script after this...
anyone interested ?

jimson

Project Code Name

MD5 Breaker

Project Description

To have a database contained data which is able to search which value that generated queried md5 value.
Possible values of md5 if i am not wrong is 16³² coz 10² = 100

Method

Using people computers to calculate md values
Store the md5 values in database
We need another peeps to check whether the generated values are true. (so we have to do it twice) by different peeps.
md5 values are stored in 16 tables 0 to F and 2 columns val and gval (gval = generated md5 values)
so how we break the task to peeps.
there will be one website that serve as md5 collector.
peeps can start from any 32 characters, generated values will be stored depend on their first character in particular table.

jimson

so far
here is the zip file for u to

Mordecai

I already wrote an extension to my crack() function that will attempt to break MD5s based on dictionaries.

jimson

hi, can u please give me a summary what ur crack() function will do... i haven't download anything... i see cartoon... and ... names.

kinda info to me... so i know how is it associate with what i wish to run... thanks, moderncai.

Weedpacket

I don't see the point, myself. Why not just guess the passwords and MD5() them in real time?

Of course, if you were using MD5 for its intended purpose (ie., as a message digest), then these cracks are totally useless.

BuzzLY

No, I think you miss the point, Weedpacket. What we need is a global project that will enlist the aid of professional PHP developers everywhere to help crack MD5 encryption.

Next week, we are going to give seminars on how to crack a bank vault combination. Not to steal money, of course. Just to see if we can do it...

Weedpacket

Mm, okay, but I don't see how guessing passwords is going to achieve that. Anyone here cryptographic experts?

Jedi_Legend

Ha, like government angencies will pay for it. I think your largest business will come from hackers and if anything, the government will either shut you down or keep a very close eye on your customers.

Sounds like a good idea to me! I'm in! 😃 😉 😉

Weedpacket

Hmm, let's look at this number
3.4028236692093846346337460743177e+38

Let's call that 3.5e+38. 3.5 * 10^38.

Number of human beings on Earth: 6*10^9.

Number of stars in Milky Way:
10¹¹

Number of Galaxies in Universe - ooh, let's say a hundred billion there as well: 10¹¹

Assuming our galaxy is pretty average, number of stars in the Universe: 10¹¹ * 10¹¹ = 10^22.

A grain of sand is about 1mm^3. 3.5e+38 grains of sand hence takes up 3.5e+38mm^3, or 3.5e+29m³ = 3.5e20km^3, or about 320 million times the volume of the Earth.

The number of permutations of Rubik's Cube: 43252003274489856000 approx. 4.3e+19, so you can picture a Rubik's metacube, where before you can make each move you have to first solve an ordinary Rubik's cube.

Yahoo (last time I looked) was buying storage at the rate of a terabyte (1024^4😎 a week. Assuming storage of each MD5 string requires 16 bytes, storing all of them would take 5.6e+39B, or 509e+25TB - At Yahoo's rates, it would take 6e15 times the age of the Universe to accumulate enough storage.

Dracore

If the government really wanted to crack md5 they could probably have it done within a week.:/ I'd recommend using XOR encryption rather than trying to crack md5...

Weedpacket

I can understand if you're wanting to take an MD5 string and farm the job of guessing words that hash to it out to other processors; and then storing a list of password/hash pairs. It's very easy to get the wrong end of the stick with jimson's writing "style".

But like I said originally, people who use MD5 to encrypt passwords are not using it for its intended purpose. Any password-obscuration technique is vulnerable to this attack; it hardly counts as "cracking MD5", and all it means is that people ought to be more sensible about choosing passwords in the first place.

jimson

according to
http://www.faqs.org/rfcs/rfc1321.html

This document describes the MD5 message-digest algorithm. The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest.

well,
i don't really think so.
since 16³² is a possible values.
i don't use this to hack, i just want to prove that by giving me an MD5 32 character values, i know how to generate this prespecified message digest.

the problem where i now haven't understand it,
let say, we start by md5('');
then we get a 32 char, we continue md5 the result so in the end, we will have 16^32.
so, what will HAPPEN if we come to the last number of 16^32..
have u guys think about it? all numbers already specified, and redundant will occured.... he he he...

the problem is,
let say, we md5('jimson');
we will also get 32 char, but we use only 6 chars to have 32 chars digest.
so, if we have a complete database of 16³² data,
we will know what 32 chars that generate the same md5('jimson');
and we can claim that the MD5 is not as it claimed to be unique hash... 🙂 so, if we can prove the person (that professor) who create this algorithm is wrong, are we brighter than the professor? what ya think?

imagine if we can found the clash,
2 or more values that generate the same hash... (it will prove a security error).

u might think, why i or us want to prove it WRONG... ?
well, becoz it is wrong.. 🙂

LET US PROVE THE RIGHT IS WRONG... TO JOIN, JUST ADD UR NAME IN THIS THREAD....

basically, i need 32 person.
so each person will be a manager, will handle a character md5 (0 to F)
16 person will be the first timer,
16 person will check the first 16 person jobs. to make sure the generate from and generate to values is true.

i am still thinking how to consume peeps pc resources the billion, million users out there who want to support.?
i don't know, if i open my pc 24 hours per day (1ghz), how many number i can get, so i can predict when we gonna finish the 16^32...

it would be a little bit meaningless, if we dont manage the start string to md5 coz, just my HO... :?

ah... just found a solution...
so, first peep will start from
00000000000000000000000000000000
second peep
00000000000000000000000000000001
tenth peep
0000000000000000000000000000000A
so, by using this method, we know how many people participate
and in the end we will reach
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

so what ya think?

jimson

ur guys so fast in posting... looks like this gonna be interesting

Weedpacket

who create this algorithm is wrong, are we brighter than the professor? what ya think?

There are an infinite number of possible messages.
There are only a finite number of possible MD5 hash.
Every possible message has an MD5 hash.
All finite numbers are smaller than infinite numbers.
Therefore there are fewer MD5 hashes than there are possible messages.
Therefore there are several messages that have the same MD5 hash. (It can be shown that there are an infinite number of possible messages that all have the same MD5 hash).

So when you're given such a hash you can't tell which of those messages was the original.

You're not doing anything that contradicts what "the professor" said. Reread the RFC. Find out what MD5 is for.

Read my post on the size of 16^32.

Look up the word "infeasible" in the dictionary.

And let me know when you've figured out (an example of) what "cf917a70992aa5956d107ba7663cd567" is the MD5 hash of.

jimson

i think it is maybe tooks ages for us to have the complete
md5 hash pair data so.. like weed said... is correct about the storage we need to store those pair of 32 chars.

ok.. why dont we just collect the pair result data that start with 0

so (16^32)/16 = 2.1267647932558653966460912964486e+37
so, does it sounds possible ?
or 10000000000000000000000000000000 hex = ? TB?

ok, i think another method
16¹⁶ = 18446744073709551616
18446744073709551616/16 = 1152921504606846976
em, we just having the first 16 char of 32 md5 char.
so we will have
0000000000000000 to 1111111111111111
so we will have pair that generate

aik... ok.. found another solution..
so, our goal is to prove the theory is WRONG...
so, md5('jimsonchang') = 67c356a7e59cda2160d0b86c389264c0

so we just use the computer power to find the 32 chars that can generated "67c356a7e59cda2160d0b86c389264c0"
what ya think?
maybe we will have a list of peeps who join
where their name <32 chars
and database will try to math the list for occurance ?

how u think...?

can anyone tell me, if i run 24 X 7 X 365, how many numbers i can get, not stored in database, just match the list?

sorry weed, about my STYLE... ? <= i got style. ?.. stylish... 🙂 🙁

eb1024

edited

Weedpacket

Originally posted by jimson

so (16^32)/16 = 2.1267647932558653966460912964486e+37
so, does it sounds possible ?
or 10000000000000000000000000000000 hex = ? TB?

No, (16^32)/16 = 16³¹ is only a factor of 16 difference - in grains of sand measure that's 20 million times the size of the Eath. And that is assuming of course that you can tell in advance which strings hash to MD5 hashes where the first four bits are all 0 and how do you know which ones those are?

Okay, I just generated a thousand different MD5 hashes. Doing it in PHP on my machine it took a bit less than 1/80 of a second, but doing nothing except generating them, and on trivial strings at that. But clever coding and hand-tooled assembler may make things a bit faster. Let's be generous and assume therefore a machine can test 100,000 hashes in a second. Let's say we can get a million machines working on the problem. That's 100 billion hashes tested per second. To test 16³¹ numbers would take only about 450 million times the present age of the Universe. Maybe I should go away and see how Moore's Law would affect this estimate.

ok, i think another method
16¹⁶ = 18446744073709551616
18446744073709551616/16 = 1152921504606846976
em, we just having the first 16 char of 32 md5 char.
so we will have
0000000000000000 to 1111111111111111
so we will have pair that generate

Again, how do you know which ones they are? You're going to crank out MD5 hashes and then try and find matches to each of them in turn? The 450 million above assumes you're just generating strings and then computing the hashes.

aik... ok.. found another solution..
so, our goal is to prove the theory is WRONG...

"The theory" - oh, I love it when people use that phrase; it almost guarantees comedy. Note that the abstract of RFC1321 states that "it is conjectured that it is computationally infeasible...". In other words, there is no theory; just a lot of empirical and theoretical evidence to the effect.

It would be much more interesting to develop a computationally feasible means of reversing MD5 to find which message(s) generate a given hash. That's why I wanted to know if there was anyone with cryptographic experience here.

so we just use the computer power to find the 32 chars that can generated "67c356a7e59cda2160d0b86c389264c0"
what ya think?

How? By developing an algorithm that would work in a feasible amount of time and space for any hash, or by mindlessly chucking strings at this particular hash until one sticks? The first would qualify as cracking MD5, the latter would just be guessing passwords.

maybe we will have a list of peeps who join
where their name <32 chars
and database will try to math the list for occurance ?

Why? You've got their name, just hash it! Who needs to look it up in a big table of hashes?

I think you don't actually understand what a Message Digest is. The next sentence of RFC1321's abstract is: "The MD5 algorithm is intended for digital signature applications, where a large file must be 'compressed' in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA."

sorry weed, about my STYLE... ? <= i got style. ?.. stylish... 🙂 🙁

Hence the quotes around the phrase.

Again, the challenge hash I posted above still stands.

BuzzLY

Weed, you are absolutely amazing.

You understand what jimson is talking about.
You take the time to debate the issue with him, using very sound and convincing arguments.

You strike me as someone that would sit for 4 hours and seriously answer every time a 4 year old says "why?"

So tell me... what do YOU think is the meaning of life? And don't tell me "a1d0c6e83f027327d8461063f4ac58a6," either.