Say bye-bye to the old trusty MD5

It is official: Microsoft is one of the big ones who’ll be retiring the venerable-but-vulnerable MD5 algorithm. Don’t worry, you’ll still be able to create MD5 hashes for your documents and verify them, but not for authentication and code signing anymore.

md5_logo_n1
The first chink in MD5’s armor was discovered in 1996; while not critical (MD5 creates 128-bit hashes – the vulnerability is in one of the 64 steps to create the hash value) security experts began recommending alternate algorithms. Both recommended replacement hash functions became obsolete since then.

How big of a security risk was the 1996 announcement? When something like this comes up, cryptoanalysts begin investigating, and creating scenarios, how the fuction can be compromised. It took 8 years, and an unimaginable increase in computing power to crack the MD5 hashing algorithm. The server the chinese analysts demonstrated on (a pSeries IBM) reportedly had 24 Power processors and 1TB RAM – to find a collision with a randomly given MD5 hash took less, than 1 hour.

power6
What is a collision? Basically you take two files which differ in size and (obviously) content, you run your favourite md5sum command on them, and surprise-surpise, the files got identical hashes. No big deal, really? Imagine then what horror Adobe’s programmers felt, when _all_ their user data, passwords, hints, everything was leaked. The passwords were of course left encrypted, but savvy users soon found by sorting the data by password hash, that there were many similarities, even when the password hints indicated completely different. In MySQL databases you have the option to have your fields be MD5 encrypted, and many authentication algorithms simply create a hash when you put your password in the password field, and then compare it to the stored value in the sql database.

login_field

Using the cracking method outlined in the 2004 announcement, and some (cheap!) hardware, a password can be created from an MD5 hash value. It won’t be the original password, but since the hashed value will be the same – you’re in like Flynn. The hardware required is really not on the same level as in 2004 – today you can use the just about anything with a processor in it, a powerful GPU is one way, or use your bitcoin-mining FPGAs to create a program that just runs the blocks over and over, hundered million times a second. The only good thing about the published methods is, that you won’t be able to decode the orignal password, just replicate it with something that will be accepted as your password.

Read about the update in more detail on Microsoft’s website: Technet
Read about the MD5 function, its history, and the vulnerability: Wikipedia
Check if your personal data was leaked: ZDNet

Advertisements

Mystery at Sharepoint Land

Although my site did not contain so much information and data Sharepoint told me that i reached the Storage Quota limit had been given to the site ->

Your changes could not be saved because this SharePoint Web site has exceeded the storage quota limit. You must save your work to another location.  Contact your administrator to change the quota limits for the Web site.

Of course the first step was to go to the “Recycle bin” to empty it. But after this procedure  i got the same error. Ohh yes, the secondary Recycle bin for the Site collection – with Site admin right i was able to delet all the contects of that bin also.

But still got this rude error message. What’s up here?

Continue reading “Mystery at Sharepoint Land”

How to turn the GUI on and off on Windows Server 2012

There is a Windows Server edition which takes less attention that it deserves. This is the Microsoft Windows Server Core. Continue reading “How to turn the GUI on and off on Windows Server 2012”

Basic gateway to gateway VPN tutorial: Part 2 – “Cisco RV042”

In this Article i will guide you through a Gateway to Gateway VPN Tunnel configuration using two Cisco RV042. Our goal is just like in the first part of the article, to create an sql DB link between two MS SQL DB server.

Continue reading “Basic gateway to gateway VPN tutorial: Part 2 – “Cisco RV042””

Basic gateway to gateway VPN tutorial: Part 1 – “TheGreenBow”

In these two articles i will show you two examples, how to connect two computers like two DB servers for example, securely through the internet, with the use of the VPN tunel technology.

I will use two Windows 2008 R2 Servers with a Microsoft SQL Server 2005 installed on each of them. The Servers are installed with a dedicated NIC for this task. I will concentrate on configuring the VPN Tunnel, and only mention some general info about routing, firewall, or DB link configurations needed.

Continue reading “Basic gateway to gateway VPN tutorial: Part 1 – “TheGreenBow””

Migrating an installed Win7 System to SSD

I have decided to upgrade my laptop with an SSD. I have many programs installed, for some of that I doesn’t have any installer or serial anymore and my system is working very well too. So I didn’t want to install it from scratch, just transfer it to the new SSD. In my article I will show you, how you can do it on the simplest way. Continue reading “Migrating an installed Win7 System to SSD”

Connect to Windows Internal Database

The Windows Internal Database is a “built-in”-like simple spreadsheet to redeem the old JET engine based one in case of Windows Server 2008.

“It is designed in such a way that you are not allowed to connect to and use this particular database service for non-Microsoft products.” But i have to connect… Continue reading “Connect to Windows Internal Database”