November 29th, 2007, 01:47 PM
I know MD3 is a one-way algorithm and is quite obsolete now.
But I am trying to tackle a problem of extracting real password from MD3 encrypted password. Its very hard to find any information on MD3 now a days.
I'll be thankful if you can guide me to some link where some brutal-force attack or some other intelligent way of cracking MD3 password is specified.
November 29th, 2007, 01:56 PM
While I don't know much specific about MD3, it is too old even for me, in general, the whole point of any one-way hash function is that it is impossible to recover the plaintext, short of a exhaustive search.
When MD5 became to be too weak for use, it was not that you could un-hash stuff, it was that you could find two documents that hashed to the same value too quickly.
November 29th, 2007, 02:01 PM
Yes you are fully right.
MD3 hash operates well on 8-character string. All I want is to see some brute-force or similar implementaiton that would crack the MD3-Hash.
November 29th, 2007, 02:14 PM
You can try brute force. Just write some code to generate 8 byte strings, I'd probably start with eight blanks, and increment by one.
calculate the MD3 and see if it matches. (assuming you can find an MD3 implementation)
Do you have any idea if the text is US ASCII or could it have the eighth bit lit for 'extended ascii"? I assume its too old to have unicode
November 29th, 2007, 06:04 PM
MD3? Are you sure it's not MD2, 4 or 5? MD3 was weak from day 1 and never really made it out of the labs. Versions 2, 4, and 5 have all been popular at one point or another, but MD3 was just the oopsie sub-step between 2 and 4. If it is indeed MD3, I'd love to hear the justification for that from the developer.
Also, don't cross-post your question simultaneously across multiple forums, it's not nice to the people trying to answer your question because you have multiple people all doing the same thing towards the same goal, but without knowledge of each other. If you're going to ask in more than one place, ask in one place, get all the info from there that you can, then ask additional questions in another, or even re-ask the original question if it wasn't satisfactorily answered. But at least give people a couple days.
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.
- Why know the ordinary when you can understand the extraordinary?
- Sponsor my caffeine addiction! (36.70 USD received so far -- Latest donor: Mark Foxvog.
November 30th, 2007, 12:53 AM
Yes, MD3 is weak and it is MD3 implementation as I know. The encrypted string is a fixed 13 character string, out of which first 2 characters work as seed.
That's why we were trying to get rid of it. Passwords which are stored encrypted in database, we wanted them to be extracted and use some other encryption scheme for it.
But I relaized that decryption of hash will not give me exact decrypted value, because more than one combination of values may generate same hash result.
Therefore, even brute-force attack may not give 100% accurate result.
I apologize for sending same question in different forums in search of quick and best solution, but I realize that its not good practise at all.
I ensure, I'll not do such again and give time on a forum to respond before trying some other.