One of the most important security features used today are passwords. It is important to have secure, unguessable passwords. In order to ensure the security to websites we enable the hashed password instead of the actual one. Password hashing is a way of encrypting a password before it's stored in the database. As a result the site only sees a domain specific hash of the password. Generally users tend to use a single password at many different web sites. Here the user’s password is transparently converted into a domain specific password. Major advantages of domain specific hashing is that it provides a defense against password phishing. Two hashing algorithms are developed and passwords are hashed through them. The strength of these hashed passwords are compared and their similarity is found out. Hashed passwords along with their similarity is then stored in the database. Later the webpage framework is developed using python Bottle and authenticated. Now let us have a look at different hashing algorithms.
Message Digest Algorithm (MD5)
MD5 is one of the commonly used cryptographic function which processes a variable length message into a fixed length output of 128 bits. MD5 is used in wide variety of security applications. It is also used to check the integrity of files. 32 Digit hexadecimal number is used as a typical MD5 hash. Different steps to create password using MD5 Algorithm are
- First, input message is broken in to blocks of 512 bit blocks.
- Now message padding is done so that it is divisible by 512.
- First a single bit is appended to the end of the message which should be 1.
- After first bit, zeros are added to bring the length of the message up to 64 bits fewer than a multiple of 512.
- The remaining bits are filled up with a 64 bit integer representing the length of the original message in bits.
The MD5 algorithm uses 4 state variables, each of which is a 32 bit integer. These variables are sliced and diced and are (eventually) the message digest. The variables are initialized as follows:
A = 0x67452301, B = 0xEFCDAB89, C = 0x98BADCFE, D = 0x10325476.
Now on to the actual algorithm, the main part of the algorithm uses four functions to thoroughly goober the above state variables. Those functions are as follows:
F(X,Y,Z) = (X AND Y) OR (NOT (X) & Z)
G(X,Y,Z) = (X AND Z) OR (Y AND NOT (Z))
H(X,Y,Z) = X XOR Y XOR Z
I(X,Y,Z) = Y XOR (X OR NOT (Z))
Above functions along with state variables and the input message, transform the state variables from their initial state into message digest. Then message digest is stored in the state variables A, B, C and D. To convert it in to the hexadecimal form, output the hex values of each the state variables, least significant byte first.
- Easy to compute the hash value for a given message
- Infeasible to find a message that has a given hash
- Infeasible to modify a message without changing the hash
- Infeasible to find two different messages with the same hash
- Security of the MD5 hash function is severely compromised
- Old MD5 projects can be used to reverse many MD5 hashes into strings inorder to crack passwords