Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Ambush Commander wrote:But it would take a long time to cycle through all possible combinations for 1GB files.
You don't need to do that. The size of the file does not matter when trying to find a collition. A 8 char word might have the same md5 than your GB file. In theory the collition can be found in 1 second if one gets very very very ............ very lucky
The problem is that md5 is no crypt. The collition would only be a danger if someone manages to create a virus or trojan that has the same hash than a downloaded prog.
The other use might be if a pw hash is found sniffing a network. The chance of finding a pw is kind of high as the brute force only has to check for the password. If the pw is insecure you might not even need to md5 it over the network. This however has nothing to do with cracking md5 but cracking the pw. Here it doesn't matter if you use md5 or even sha256 or higher. The only secure way is the above mentioned use of a salt.
You don't need to do that. The size of the file does not matter when trying to find a collition. A 8 char word might have the same md5 than your GB file. In theory the collition can be found in 1 second if one gets very very very ............ very lucky
Since we're being really nitpicky here, you're right. On average, you'd have to cycle through half of them.
AGISB wrote: if someone manages to create a virus or trojan that has the same hash than a downloaded prog.
In order to do this they would have to take the md5 hash and then do a brute force against it, finding all possible things that equal that hash.
Let's say the virus is a measly 3Kb, that would be like trying to crack a 3,072 character string. To make matters more difficult they would just have to *happen* to stumble across a string that just so happens to be binary that actually runs as an executable, to add onto this even if in the extremely remote chance they did it will likely not be a virus.
The problem with rainbow tables is, as Roja has just pointed out, that they are defeated by salted hashes. I recently wrote (in C#, not PHP I'm afraid - but still relevant since you are talking about breaking MD5) a dictionary based cracker for salted MD5 files and thought this might be of interest to you...
I'm just adding the final touches to a proper bruteforce mode and will let you know (if interested) when it is done. At the moment it takes about 4 days to crack a 6 character a-zA-Z1-9 pass.