Modified MD5 Algorithm for Password Encryption
2 likes766 views
This document discusses weaknesses in the MD5 hashing algorithm for password encryption and proposes modifications to strengthen it. It begins by introducing MD5 and how it is commonly used to hash passwords for storage. However, MD5 is vulnerable to dictionary and rainbow table attacks. The document then suggests three modifications to MD5 to improve security: 1) Adding a salt value to each hashed password, 2) Iteratively hashing the password multiple times, and 3) Adding a random prefix or suffix to each hashed value before storage. These modifications aim to strengthen MD5 against cracking attempts.
![ISSN: 2312-7694
Sukhmanjit et al, / International Journal of Computer and Communication System Engineering (IJCCSE), Vol. 2 (5), 2015, 698-700
698 | P a g e
© IJCCSE All Rights Reserved Vol. 02 No.05 Oct 2015 www.ijccse.com
Modified MD5 Algorithm for Password
Encryption
Sukhmanjit Kaur
Department of Computer Science
Guru Nanak Dev University
Amritsar, India
sukhmanjit_kaur@yahoo.com
Prabhsimran Singh
P.G. Deptt of Computer Science and Applications
Khalsa College
Amritsar, India
prabh_singh32@yahoo.com
Abstract— Hashing algorithms are commonly used to convert
passwords into hashes which theoretically cannot be deciphered. This
paper presents one of the most famous hashing algorithm MD5, and
suggests the possible improvements that could be made to MD5
algorithm in order to make it more secure. This paper also shows why
it is important to encrypt passwords in any system.
Index Terms— MD5, Hashing, Password Encryption, Data
Security.
I. INTRODUCTION
With the advent of computer technology, it became more
productive to store information in databases instead of storing
in paper documents. Web applications, needing user
authentication, typically validate the input passwords by
comparing them to the real passwords, which are commonly
stored in the company’s private databases. If the database and
hence these passwords were to become compromised, the
attackers would have unlimited access to these users’ personal
data/information. Nowadays, databases use a hash algorithm to
secure the stored passwords but there are still security
breaches. Recently in 2014, Sony was hacked, in 2012 Russian
hackers released a big list of cracked passwords from the well-
known social networking sites including LinkedIn. These
attacks were found to be successful due to the use of weak
security algorithms.
II. ABOUT MD5
MD5, is the full name of the Message-digest Algorithm 5,
is the fifth generation on behalf of the message digest
algorithm. In August 1992, Ronald L.Rivest submitted a
document to the IETF (The Internet Engineering Task Force)
entitled “The MD5 Message-Digest Algorithm”[1], which
describes the theory of this algorithm. For the publicity and
security of algorithm, it has been widely used to verify data
integrity in a variety of program languages since the 1990s.
MD5 was developed from MD, MD2, MD3 and MD4. It
can compress any length of data into an information digest of
128bits (16-byte) hash value, typically expressed in text
format as a 32 digit hexadecimal number as shown in figure 1.
The MD5 segment message digest often claims to be a digital
fingerprint of the data. This algorithm makes use of a series of
non-linear algorithm to do the circular operation, so that
crackers cannot restore the original data. In cryptography, it is
said that such algorithm as an irreversible algorithm, can
effectively prevent data leakage caused by inverse operation.
Figure 1: MD5 Conversion
III. MD5 IN PASSWORD ENCRYPTION
It is highly insecure to store passwords in plaintext in the
database. In order to increase the security of passwords, MD5
algorithms can be used to hash the original passwords and the
hash values, instead of the plaintext are stored in the
database[2]. Figure 2 shows the password in database saved in
form of plaintext.
Username Email_ID Password
Raman ramanarora@yahoo.com coolraman
Ravi raviparkash@gmail.com 123ravi123
Parneet Parneet22@yahoo.com pari123parneet
Figure 2: Password in Plain Form
Username Email_ID Password
Raman ramanarora@yahoo.com
a4302a40097d9e4b18
5fae487a5e1c41
Ravi raviparkash@gmail.com
f03b18d410ce4cb80
910f0218eb0a99b
Parneet Parneet22@yahoo.com
99557b213e10ddba9
e618eb5653d9d5c
Figure 3: Password in Hashed Form](https://image.slidesharecdn.com/rp10155930-160107194902/85/Modified-MD5-Algorithm-for-Password-Encryption-1-320.jpg)
![ISSN: 2312-7694
Sukhmanjit et al, / International Journal of Computer and Communication System Engineering (IJCCSE), Vol. 2 (5), 2015, 698-700
699 | P a g e
© IJCCSE All Rights Reserved Vol. 02 No.05 Oct 2015 www.ijccse.com
Figure 4: Authentication Process
Figure 3 shows password encrypted with MD5 Hashing, it is
clear that it makes the data highly secure if password is stored
in encrypted form.
During authentication, the input password is also hashed
by MD5 in a similar way, and the result hash value is
compared with the hash value in the database for that. Figure
4, shows how authentication process takes place.
IV. SECURITY ANALYSIS OF MD5
MD5 algorithm is prone to two main types of attack,
Dictionary attacks and rainbow tables[3, 4].
A. Dictionary Attack
In dictionary attacks, an attacker tries all the possible
passwords in an exhaustive list called a dictionary. The
attacker hashes each password from the dictionary and
performs a binary search on the compromised hashed
passwords. This method can be made much quicker by
precomputing the hash values of these possible passwords and
storing them in a hash table.
B. Rainbow Attack
Rainbow tables are made up of hash chains and are more
efficient than hash tables as they optimize the storage
requirements, although the lookup is made slightly slower.
Rainbow tables differ from hash tables in that they are created
using both reduction and hash functions. Reduction functions
convert a hash value to a plaintext. The plaintext is not the
original plaintext from which the hash value was generated, but
another one. By alternating the hash function with the
reduction function, chains of alternating passwords and hash
values are formed. Only the first (chain’s start point) and last
plaintext (chain’s end point) generated are stored in the table.
To decipher a hashed password, we first process the hashed
password through reduction functions until we find a match to
a chain’s end point. We then take that chain’s corresponding
start point and regenerate the hash chain and find the original
plaintext to the hashed password. Rainbow tables are very
easily available online now. There are many password cracking
systems and websites that use rainbow tables also, for example,
OphCrack. Of course, using rainbow tables do not guarantee a
100% success rate of cracking password systems. However, the
bigger the character set used for creating the rainbow table and
the longer the hash chain length, the bigger will be the rainbow
table.
V. MODIFICATIONS FOR IMPROVED SECURITY
The following modifications can be made to MD5 hashing, in
order to make it more secured[5, 6].
A. Salting
A salt is a secondary piece of information made of a string of
characters which are appended to the plaintext and then
hashed. Figure 5, shows example of MD5 with salting.
Figure 5: MD5 with Salting](https://image.slidesharecdn.com/rp10155930-160107194902/85/Modified-MD5-Algorithm-for-Password-Encryption-2-320.jpg)
![ISSN: 2312-7694
Sukhmanjit et al, / International Journal of Computer and Communication System Engineering (IJCCSE), Vol. 2 (5), 2015, 698-700
700 | P a g e
© IJCCSE All Rights Reserved Vol. 02 No.05 Oct 2015 www.ijccse.com
B. Iterative hashing
The password is hashed a number of times. MD5 is a fast
hashing function, that is, it is computationally fast to calculate.
Iterative hashing makes the calculation slower, hence
computationally slower and more difficult to crack. Figure 6
shows the iterative Hashing Approach.
C. Prefixes and suffixes algorithm
After encoding the MD5, you can save MD5 HASH and the
original text of passwords with random characters together,
and then conduct the comparison after adding this new version
before and after the original text. The randomness is a major
obstacle to decrypt. Figure 7 shows, result of adding suffix to
MD5.
Figure 6: Iterative MD5 Approach
Figure 7: Adding Suffix to MD5
VI. CONCLUSIONS
Password storage security is one important aspect of data
security as most systems nowadays require an authentication
method using passwords. Hashing algorithms such as MD5
are commonly used for encrypting plaintext passwords into
strings that theoretically cannot be deciphered by hackers.
However, with time, attacks became possible through the use
of dictionary tables and rainbow tables. In this paper, different
modifications were discussed that can be made to existing
MD5 algorithm inorder to make it more secure and
unbreakable.
REFERENCES
[1]. R. Rivest. The MD5 Message-Digest Algorithm
[rfc1321], 1992.
[2]. Xiaoling Zheng, JiDong Jin, Research for the Application
and Safety of MD5 Algorithm in Password
Authentication, 9th International Conference on Fuzzy
Systems and Knowledge Discovery, 2012.
[3]. Wang Xiaoyun, Chen Yin ru. Collision Analysis for
Every Round Function of the MD5, 1996.
[4]. Wang Xiaoyun. How to Break MD5 and Other Hash
Functions, 2005.
[5]. Zhang Shaolan, Xing Guobo, Yang Yixian, Improvement
and Security Analysis on MD5 [J]. Computer
Application, 2009, vol. 29(4):947-949.
[6]. H. Mirvaziri, Kasmiran Jumari, Mahamod Ismail, Z.
Mohd Hanapi, A new Hash Function Based on
Combination of Existing Digest Algorithms , The 5th
Student Conference on Research and Development –
SCOReD 2007, 11-12 December 2007, Malaysia.](https://image.slidesharecdn.com/rp10155930-160107194902/85/Modified-MD5-Algorithm-for-Password-Encryption-3-320.jpg)
Modified MD5 Algorithm for Password Encryption
- 1. ISSN: 2312-7694 Sukhmanjit et al, / International Journal of Computer and Communication System Engineering (IJCCSE), Vol. 2 (5), 2015, 698-700 698 | P a g e © IJCCSE All Rights Reserved Vol. 02 No.05 Oct 2015 www.ijccse.com Modified MD5 Algorithm for Password Encryption Sukhmanjit Kaur Department of Computer Science Guru Nanak Dev University Amritsar, India [email protected] Prabhsimran Singh P.G. Deptt of Computer Science and Applications Khalsa College Amritsar, India [email protected] Abstract— Hashing algorithms are commonly used to convert passwords into hashes which theoretically cannot be deciphered. This paper presents one of the most famous hashing algorithm MD5, and suggests the possible improvements that could be made to MD5 algorithm in order to make it more secure. This paper also shows why it is important to encrypt passwords in any system. Index Terms— MD5, Hashing, Password Encryption, Data Security. I. INTRODUCTION With the advent of computer technology, it became more productive to store information in databases instead of storing in paper documents. Web applications, needing user authentication, typically validate the input passwords by comparing them to the real passwords, which are commonly stored in the company’s private databases. If the database and hence these passwords were to become compromised, the attackers would have unlimited access to these users’ personal data/information. Nowadays, databases use a hash algorithm to secure the stored passwords but there are still security breaches. Recently in 2014, Sony was hacked, in 2012 Russian hackers released a big list of cracked passwords from the well- known social networking sites including LinkedIn. These attacks were found to be successful due to the use of weak security algorithms. II. ABOUT MD5 MD5, is the full name of the Message-digest Algorithm 5, is the fifth generation on behalf of the message digest algorithm. In August 1992, Ronald L.Rivest submitted a document to the IETF (The Internet Engineering Task Force) entitled “The MD5 Message-Digest Algorithm”[1], which describes the theory of this algorithm. For the publicity and security of algorithm, it has been widely used to verify data integrity in a variety of program languages since the 1990s. MD5 was developed from MD, MD2, MD3 and MD4. It can compress any length of data into an information digest of 128bits (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number as shown in figure 1. The MD5 segment message digest often claims to be a digital fingerprint of the data. This algorithm makes use of a series of non-linear algorithm to do the circular operation, so that crackers cannot restore the original data. In cryptography, it is said that such algorithm as an irreversible algorithm, can effectively prevent data leakage caused by inverse operation. Figure 1: MD5 Conversion III. MD5 IN PASSWORD ENCRYPTION It is highly insecure to store passwords in plaintext in the database. In order to increase the security of passwords, MD5 algorithms can be used to hash the original passwords and the hash values, instead of the plaintext are stored in the database[2]. Figure 2 shows the password in database saved in form of plaintext. Username Email_ID Password Raman [email protected] coolraman Ravi [email protected] 123ravi123 Parneet [email protected] pari123parneet Figure 2: Password in Plain Form Username Email_ID Password Raman [email protected] a4302a40097d9e4b18 5fae487a5e1c41 Ravi [email protected] f03b18d410ce4cb80 910f0218eb0a99b Parneet [email protected] 99557b213e10ddba9 e618eb5653d9d5c Figure 3: Password in Hashed Form
- 2. ISSN: 2312-7694 Sukhmanjit et al, / International Journal of Computer and Communication System Engineering (IJCCSE), Vol. 2 (5), 2015, 698-700 699 | P a g e © IJCCSE All Rights Reserved Vol. 02 No.05 Oct 2015 www.ijccse.com Figure 4: Authentication Process Figure 3 shows password encrypted with MD5 Hashing, it is clear that it makes the data highly secure if password is stored in encrypted form. During authentication, the input password is also hashed by MD5 in a similar way, and the result hash value is compared with the hash value in the database for that. Figure 4, shows how authentication process takes place. IV. SECURITY ANALYSIS OF MD5 MD5 algorithm is prone to two main types of attack, Dictionary attacks and rainbow tables[3, 4]. A. Dictionary Attack In dictionary attacks, an attacker tries all the possible passwords in an exhaustive list called a dictionary. The attacker hashes each password from the dictionary and performs a binary search on the compromised hashed passwords. This method can be made much quicker by precomputing the hash values of these possible passwords and storing them in a hash table. B. Rainbow Attack Rainbow tables are made up of hash chains and are more efficient than hash tables as they optimize the storage requirements, although the lookup is made slightly slower. Rainbow tables differ from hash tables in that they are created using both reduction and hash functions. Reduction functions convert a hash value to a plaintext. The plaintext is not the original plaintext from which the hash value was generated, but another one. By alternating the hash function with the reduction function, chains of alternating passwords and hash values are formed. Only the first (chain’s start point) and last plaintext (chain’s end point) generated are stored in the table. To decipher a hashed password, we first process the hashed password through reduction functions until we find a match to a chain’s end point. We then take that chain’s corresponding start point and regenerate the hash chain and find the original plaintext to the hashed password. Rainbow tables are very easily available online now. There are many password cracking systems and websites that use rainbow tables also, for example, OphCrack. Of course, using rainbow tables do not guarantee a 100% success rate of cracking password systems. However, the bigger the character set used for creating the rainbow table and the longer the hash chain length, the bigger will be the rainbow table. V. MODIFICATIONS FOR IMPROVED SECURITY The following modifications can be made to MD5 hashing, in order to make it more secured[5, 6]. A. Salting A salt is a secondary piece of information made of a string of characters which are appended to the plaintext and then hashed. Figure 5, shows example of MD5 with salting. Figure 5: MD5 with Salting
- 3. ISSN: 2312-7694 Sukhmanjit et al, / International Journal of Computer and Communication System Engineering (IJCCSE), Vol. 2 (5), 2015, 698-700 700 | P a g e © IJCCSE All Rights Reserved Vol. 02 No.05 Oct 2015 www.ijccse.com B. Iterative hashing The password is hashed a number of times. MD5 is a fast hashing function, that is, it is computationally fast to calculate. Iterative hashing makes the calculation slower, hence computationally slower and more difficult to crack. Figure 6 shows the iterative Hashing Approach. C. Prefixes and suffixes algorithm After encoding the MD5, you can save MD5 HASH and the original text of passwords with random characters together, and then conduct the comparison after adding this new version before and after the original text. The randomness is a major obstacle to decrypt. Figure 7 shows, result of adding suffix to MD5. Figure 6: Iterative MD5 Approach Figure 7: Adding Suffix to MD5 VI. CONCLUSIONS Password storage security is one important aspect of data security as most systems nowadays require an authentication method using passwords. Hashing algorithms such as MD5 are commonly used for encrypting plaintext passwords into strings that theoretically cannot be deciphered by hackers. However, with time, attacks became possible through the use of dictionary tables and rainbow tables. In this paper, different modifications were discussed that can be made to existing MD5 algorithm inorder to make it more secure and unbreakable. REFERENCES [1]. R. Rivest. The MD5 Message-Digest Algorithm [rfc1321], 1992. [2]. Xiaoling Zheng, JiDong Jin, Research for the Application and Safety of MD5 Algorithm in Password Authentication, 9th International Conference on Fuzzy Systems and Knowledge Discovery, 2012. [3]. Wang Xiaoyun, Chen Yin ru. Collision Analysis for Every Round Function of the MD5, 1996. [4]. Wang Xiaoyun. How to Break MD5 and Other Hash Functions, 2005. [5]. Zhang Shaolan, Xing Guobo, Yang Yixian, Improvement and Security Analysis on MD5 [J]. Computer Application, 2009, vol. 29(4):947-949. [6]. H. Mirvaziri, Kasmiran Jumari, Mahamod Ismail, Z. Mohd Hanapi, A new Hash Function Based on Combination of Existing Digest Algorithms , The 5th Student Conference on Research and Development – SCOReD 2007, 11-12 December 2007, Malaysia.