Salted Md5 Hashing Scheme Hash

SALTED MD5 HASHING SCHEME

HASH Hash algorithms map binary values of an arbitrary length to small binary values of a fixed length, known as hash values. A hash value is a unique and extremely compact numerical representation of a piece of data. If you hash a paragraph of plaintext and change even one letter of the paragraph, then a subsequent hash will produce a different value. It is computationally improbable to find two distinct inputs that hash to the same value. A hash value is also known as a Message digest. SHA1, MD5 etc. are Hash Algorithms.

MD5 MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest.

MD5 abc 900150983cd24fb0d6963f7d28e17f72 Algorithm

Message Message digest of hash value

or input

Application of MD5 to encrypt passwords Web applications suffer from the vulnerability that the credentials travelling in clear text can be sniffed from the network. The credentials can also be detected with the help of memory editing tools on shared systems which are used to access the authentication web pages. For the issue of password travelling in clear text, the solution is to implement the salted MD5 technique. If only MD5 of the password was submitted, tests in the lab have shown that it is possible to replay the hashed password ( i.e once a hash of the submitted password is generated, this can be copied and pasted repeatedly ). Hence salted MD5 hash of the password can be submitted. In this case the password will not be same every time the salted md5 password is submitted to the server since the salt ( which is a random numbe) changes every time, the salted hashed password also changes every time. The pre-requisite to this is that the backend database stores a MD5 hash of the password.

When a client requests for the login page, the server generates a random number, the salt, and sends it to the client along with the page. A JavaScript code on the client computes the MD5 hash of the password entered by the user. It then concatenates the salt to the hash and re-computes the MD5 hash. This result is then sent to the server. The server picks the hash of the password from its database, concatenates the salt and computes the MD5 hash. If the user

1 entered the correct password these two hashes should match. The server compares the two and if they match, the user is authenticated.

A step by step illustration of the salted MD5 is as follows:

1: The client makes a request for a web page, which can be accessed only after authentication.

Client Browser Server

Request for Protected Resource

2: The server sends the authentication page for e.g. Login.html and it also sends a randomly generated string or a number also known as salt or seed.

Client Browser Server

Salt + Authentication Page

3: Client types the user name and password in the login page.

Client Submits User Name and Password User Name useer Password

4: A client side code on the login page performs the computation to generate a salted MD5 password. This code may be implemented using Javascript code, vbscript code or a java applet etc.

Computation done on client side: -

A=MD5Hash (Salt + MD5hash (Password))

2 5: The client submits the user id or login id and the computed salted hash password to the server.

Server

User Name + A

• Application on the server obtains the salt or seed that was sent to the client earlier. • Application retrieves the hashed password from the login database for the user id submitted. The passwords are stored in hashed form and not as clear text in the database.

Hashed Password

• The application uses the salt and the hashed password to compute the salted hashed password. B=MD5Hash (Salt + Hashed Password)

7: Comparison performed by server application.

• If A = B, it is established that the client holds the password corresponding to the salted hashed password submitted to the server. The server then allots an authenticated session to the user.

Client Browser Server

Authenticated Session

8: This session persists or is valid till the user logs out or the session time out due to inactivity.

9: The session life cycle should be managed with care.

3 Implementation of Salted MD5 in ASP.Net and Javascript – Sample Code

For the above login application developed using ASP.Net and Javascript, the salted MD5 is implemented. The code for client and server side of the program is shown below.

Code on client side The program uses a md5.js file. This file is written by Henry Torgemen and can be downloaded from the Internet.

<%@ Page Language="vb" AutoEventWireup="false" codebehind="WebForm3.aspx.vb" Inherits="Dipti.WebForm3" %>

WebForm3

UserName : Login Screen Password: Computed hash on client Computed hash on server Label

Code on server side

Imports System.Web.Security.FormsAuthentication Public Class WebForm3 Inherits System.Web.UI.Page Dim rno As Integer

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load 'Put user code to initialize the page here

If Not IsPostBack Then Session.Add("rno", 0) Dim randomclass As New Random Session("rno") = randomclass.Next() rno = Session("rno") End If Button1.Attributes.Add("onclick", "javascript:md5auth(" & rno & ");") End Sub

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Label2.Text = "hi" Dim strHash As String rno = Session("rno") Dim str As String = rno.ToString + Trim(Password1.Value) strHash = system.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(str, "MD5") Label2.Text = strHash Label1.Text = Request.Form("hash") If Trim(Label1.Text) = Trim(LCase(Label2.Text)) Then Label7.Text = "Strings are equal" End If End Sub End Class