|Pathologically Eclectic Rubbish Lister|
Re^3: Digest::MD5 variation problem?by afoken (Monsignor)
|on Aug 24, 2013 at 08:37 UTC||Need Help??|
print "[" . md5_base64( md5_hex( md5( "[" . 'test' ) ) ) . "]\n";
Sorry, but this is just plain stupid. The innermost md5 reduces (or expands) all input to 128 bit. md5_hex around this very likely reduces its input to less than 128 bits (I would be really surprised if all 2^128 possible 128 bit arguments for the MD5 function would result in 2^128 different results). Representing the result in hex adds adds 128 constant bits, so at least half of the input for md5_base64 is constant. Ideally, this would reduce the output of md5_base64 to 2^64 possible values, but due to the previous hash functions, it is likely that the there are far less different values, so the probability for collisions rises. Or shorter: different passwords can result in the same hash value.
zork42++ told you how to properly handle passwords, mainly salting and using strong hash functions. MD5 was strong decades ago, now it should be considered weak.
zork42 also told you about key stretching. Implemented properly, it improves the encryption quality. Read the Wikipeda article. Or just look at the code examples in that article: The key stretching does not add constant bits, but varying bits from the input.
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)