B4J Tutorial [BANano] MD5 Encryption - Getting the Md5 Hash of a string

Ola

Was recently requested to look at this by a friend, for encryption

1. Download this repo here to get the md5 javascript resource

https://github.com/blueimp/JavaScript-MD5

2. In your BANano project, add the javascript file
B4X:
BANano.Header.AddJavascriptFile("md5.min.js")

3. Add this code to your code module in your project

B4X:
'get md5hash
Sub Md5Hash(value As String, key As String, raw As Boolean) As String
    Dim res As Object = BANano.RunJavascriptMethod("md5", Array(value, key, raw))
    Return res
End Sub

4. Usage

B4X:
Log(Md5Hash("TheMash", Null, False))
    Log(Md5Hash("TheMash", "AneleMbanga", False))
    Log(Md5Hash("TheMash", Null, True))
    Log(Md5Hash("TheMash", "AneleMbanga", True))

5. Output.

md5hash.png


One can use this to store hashed passwords in the database, checksums to verify data integrity, detect unintentional data corruption depending on the complexity ones need.

Enjoy.
 
Last edited:

Mashiane

Expert
Licensed User
Longtime User
I guess this is transpiled by BANano. Isn't your password exposed then?
Because hashing is one way, one can implement this by...

1. On a user registration screen, you ask for the password, you don't save the actual password on the db but then hash it and save the hashed password on the db using this option for example.

B4X:
Dim save2db As string = Md5Hash(<UserPassword>, Null, False))

2. On the login screen, you ask the password of the user, this is then hashed using the same hash method you did for the registration.

3. You then compare the hashed value in the db and the one the user is using to login. If the hash values match, then a successful login is ensured, if not the passwords do not match and no login is done.

In both cases, the real password never actually gets revealed.

In this scenario, you have a system that DOES NOT KNOW peoples passwords like MegaSync for example.
 
Last edited:

alwaysbusy

Expert
Licensed User
Longtime User
And the DB is on the server side of course because MD5 is vulnerable to brute force attacks and as it is a fast hash, one can relatively quick find a plain text match that generates a desired hash, especially with passwords.

It is always better to do all encryption on the server side using something strong like bcrypt and you can protect yourself against brute force attacks e.g. with a DoS filter.
 

ilan

Expert
Licensed User
Longtime User
Well said, @alwaysbusy and people realizing this, have created things like HashToolkit, https://hashtoolkit.com to decrypt these hashes back to their original values.

Thanks for the feedback.

how is that possible? it should be very hard for a desktop pc (too many combinations) to decrypted HASH back to string?!?!
i know methods, where you have big HASH tables that contain common passwords and compare them but making the decryption in real-time, should be hard, right?
 

ilan

Expert
Licensed User
Longtime User
@ilan , yes it should be impossible actually. On their site, they claim have been able to decrypt the hashes.

ok i understand what they are doing. they are not decrypt hashes what they do they have a big table wish hashes and search in this table. if the hash exists they return the string as i wrote in the post above:

i know methods, where you have big HASH tables that contain common passwords and compare them

1618301631723.png


as you can see they are searching IN 20.460.908.791DECRYPTED HASHES.

this is a known method where hackers are using tables of common words like from a dictionary book or phone book and run there hashes and compare with the hashes they stole from db's and like this return the password. you know that a computer can calculate about 20 billion hashes/second so thats a lot!! that means that in less then 1 second you can create all phone numbers from a public phone book and all words in a dictionary + many many words combination. this is why we should use salting.

salting = create a random string and include it in your db. then hash the user password + salting string and save it as the hash value in your db. like this you can avoid different users have the same Hash value. to get a higher security level use Salt Rounds with bcrypt as @alwaysbusy already recommended above.

very interesting topic :)
 
Top