#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2007
    Posts
    3
    Rep Power
    0

    Red face MD3 Encryption/Decryption


    I know MD3 is a one-way algorithm and is quite obsolete now.

    But I am trying to tackle a problem of extracting real password from MD3 encrypted password. Its very hard to find any information on MD3 now a days.

    I'll be thankful if you can guide me to some link where some brutal-force attack or some other intelligent way of cracking MD3 password is specified.
  2. #2
  3. Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Sep 2007
    Location
    outside Washington DC
    Posts
    2,642
    Rep Power
    3699
    While I don't know much specific about MD3, it is too old even for me, in general, the whole point of any one-way hash function is that it is impossible to recover the plaintext, short of a exhaustive search.

    When MD5 became to be too weak for use, it was not that you could un-hash stuff, it was that you could find two documents that hashed to the same value too quickly.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2007
    Posts
    3
    Rep Power
    0
    Yes you are fully right.
    MD3 hash operates well on 8-character string. All I want is to see some brute-force or similar implementaiton that would crack the MD3-Hash.
  6. #4
  7. Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Sep 2007
    Location
    outside Washington DC
    Posts
    2,642
    Rep Power
    3699
    You can try brute force. Just write some code to generate 8 byte strings, I'd probably start with eight blanks, and increment by one.
    calculate the MD3 and see if it matches. (assuming you can find an MD3 implementation)

    Do you have any idea if the text is US ASCII or could it have the eighth bit lit for 'extended ascii"? I assume its too old to have unicode
  8. #5
  9. Crypto-Con
    Devshed Supreme Being (6500+ posts)

    Join Date
    Apr 2004
    Location
    Frisco, Texas
    Posts
    6,704
    Rep Power
    1236
    MD3? Are you sure it's not MD2, 4 or 5? MD3 was weak from day 1 and never really made it out of the labs. Versions 2, 4, and 5 have all been popular at one point or another, but MD3 was just the oopsie sub-step between 2 and 4. If it is indeed MD3, I'd love to hear the justification for that from the developer.

    Also, don't cross-post your question simultaneously across multiple forums, it's not nice to the people trying to answer your question because you have multiple people all doing the same thing towards the same goal, but without knowledge of each other. If you're going to ask in more than one place, ask in one place, get all the info from there that you can, then ask additional questions in another, or even re-ask the original question if it wasn't satisfactorily answered. But at least give people a couple days.
    - "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.
    - Why know the ordinary when you can understand the extraordinary?
    - Sponsor my caffeine addiction! (36.70 USD received so far -- Latest donor: Mark Foxvog.
    )
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2007
    Posts
    3
    Rep Power
    0
    Dear B-Con,

    Yes, MD3 is weak and it is MD3 implementation as I know. The encrypted string is a fixed 13 character string, out of which first 2 characters work as seed.
    That's why we were trying to get rid of it. Passwords which are stored encrypted in database, we wanted them to be extracted and use some other encryption scheme for it.
    But I relaized that decryption of hash will not give me exact decrypted value, because more than one combination of values may generate same hash result.
    Therefore, even brute-force attack may not give 100% accurate result.

    I apologize for sending same question in different forums in search of quick and best solution, but I realize that its not good practise at all.
    I ensure, I'll not do such again and give time on a forum to respond before trying some other.

    Thanks,

IMN logo majestic logo threadwatch logo seochat tools logo