## DEV Community is a community of 642,334 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

# Safe hash versus speed of encryption

Jorge Castro
You are free to believe in whatever you want to, me too. So, stop preaching your religion, politics, or belief. Do you have facts? Then I will listen. Do you have a personal belief? Sorry but no.

One of the motto of the security is to ensure the security of the information by using the slower method of encryption.

It is silly.

The level security of encryption of value is not as simple as to toss some probabilities and numbers and see what is biggest. For our case, the speed of generation of a hash means nothing really.

For example, let's say the next exercise:

md5("12345"); // 827ccb0eea8a706c4c34a16891f84e7b

md5 is considered unsafe. Also, the value is trivial so it could exist in some dictionary (and it exist).

now, let's say we add a SALT.

md5("IT IS SOME SALT"+"12345"); // c7afbdc32f71e3f4d90c96488f05e804

I searched on a dictionary with 10 billion entries, and the value is not in the dictionary, but it could be found sooner or later.

md5 allows 2^128 values, it means 340.282.366.920.938.000.000.000.000.000.000.000.000 combinations, so it means a lot of combinations.

But let's try to decrypt our value (with the salt)

Let's say we want to decrypt the password of a table of a database and they are in md5 (and uses a salt).

We could do the next trick: we create a fake account with the value DUMMYPASSWORD: so our hash is d6140cfe07414bb1a614e0cf05a0d0c9, and we need to decrypt the SALT.

So we could test lots and lots of combinations and find a hash that ends with DUMMYPASSWORD.

``````
// usually we do it with c or c++, not with php but it is only an example:
foreach(\$i=0;\$i<340282366920938000000000000000000000000;\$i++) {
\$value=md5(\$i);
\$candidate[]=\$i; // we add a candidate
}
}
foreach(\$i=0;count(\$candidate);\$i++) {
// here we test each candidate and finally, we found the SALT.
// How? beat me!.
}
``````

So, in our example, we found that the generation of the hash is only a small part of the process of "decryption" (\$value=md5(\$i);). However, what if our hash is safer?.

Let's say our hash is generated as follow

``````md5(SALT+MD5(SALT+VALUE));
``````
``````md5("IT IS SOME SALT"+MD5("IT IS SOME SALT"+"12345"));
``````

It is transformed into:

``````md5("IT IS SOME SALT"+"C7AFBDC32F71E3F4D90C96488F05E804")
``````

and our final hash is : 02D24A7A0493E7EB5DF40642BA32FA0E

In this case, we could not use the previous logic to obtain a SALT by knowing the value, because we don't know how the value is stored (C7AFBDC32F71E3F4D90C96488F05E804)

``````
foreach(\$i=0;\$i<340282366920938000000000000000000000000;\$i++) {
\$value=md5(\$i);
if (match(\$value)) {
echo "our value is \$value<br>";
}
}

function match(\$value) {
// Step 1. Read the value
// Step 2. ?
// Step 3. PROFIT
}
``````

The trick is to find a way to match values. As I said, we could try trillions of combinations of md5, but we must compare those values with "something." Even if we know the original value (and we want to obtain the SALT), then it is not trivial to do that for our simple exercise.

We could ensure our system using sha1 or sha256, but even the old-and-"defeated" md5 could give us a lot of security.

To try to break a password system is not as trivial as to try to break a keylock, mainly because the keylock shows when we succeed in breaking it. Breaking a hash is different, we don't know if we break it or not.

But let's say we want to use md5. ( https://blog.codinghorror.com/speed-hashing/ ) It is an old table so the duration has changed but it means nothing, I will explain.

• We could generate all 6 characters long password in 47 seconds.
• We could generate all 7 characters long password in 1 hour.
• We could generate all 8 characters long password in 465 years.

For each character, we increase the duration in an order of magnitude. Let's say that our order of magnitude is x10 (is more).

• 9 characters = 4.650 years (the pyramids were built around 4600 years ago).
• 10 characters = 46.500 years (Europe receives the first humans).
• 11 characters = 465.000 years (First homo sapiens)
• 12... and well, a lot of time.

md5(SALT+MD5(SALT+VALUE));

02D24A7A0493E7EB5DF40642BA32FA0E (16 characters)

It means a lot of time. And it doesn't solve the problem of "how to know if a value matches?".