Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
User Journal

Journal Slash Privacy Watch's Journal: What about MD5?

Journal by Slash Privacy Watch

What about MD5?

Some of our more technically astute readers may have noticed that Slashdot computes an "MD5 Signature" of each user's IP address and stores this in the database instead of the raw IP. Glossing over this detail for the sake of simplicity appears to have lost some of our readers, so let's address MD5. If you're reading this, we'll assume that you're familiar with some cryptographic concepts, especially how MD5 works.

Won't MD5 protect my privacy?

Well, not in this case. There's two problems with the MD5 argument:

  • One-way correlation is good enough. Slashdot is using MD5 to provide only one-way correlation between IP addresses and user accounts. This one-way correlation is exactly what can be used by any future owner of the Slash database to correlate incoming web hits to Slashdot accounts, and it is exactly what we described in our previous article on the subject. This is why we treated MD5 as an implementation detail only; given an IP address, the Slashdot database can still be mined for the corresponding user account. This is what the $iplist field is there for!
  • Additionally, while it is not trivial, a brute force attack on the Slash database would easily yield the bidirectionally correlated database. Considering that there are only 2^32 base values, and MD5 pads every bit under 448 with zeroes, what we are looking at is attacking values that are 32 bits, a 1 bit, and a string of zeroes, hashed. The computational power required to achieve this brute force attack is trivial.

  • To prove this, we would like to propose a contest:

    Write a perl script to generate the MD5 hash of every IPv4 address in existence. If possible, it should take a command line argument of the starting IP and ending IP, so that we can distribute the search space into blocks. IP addresses should be hashed from a 32 bit integer, increasing by 1 per iteration. We'll post our entry here sometime this week. The winning entry will use the least number of lines.

    Thanks, and good luck

      -The Slash Privacy Watch Team.

Slashdot Top Deals

The rule on staying alive as a program manager is to give 'em a number or give 'em a date, but never give 'em both at once.

Close