Repairing damaged MD5 values

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

(And everyone reads the subject line and starts laughing, right?)

My predecessor made a small mistake in the password hashing process
for this web app. The MD5 calculation was correct, but when converting
bytes to string, he used this:

For i = 0 To buf.Length - 1
s &= Hex$(buf(i))
Next
Return s

instead of this:

For i = 0 To buf.Length - 1
s &= Hex$(buf(i)).PadLeft(2, "0")
Next
Return s

The result is that whenever the MD5 hashed bytes contained a byte
value less than 0x10, it was stored as one hex digit instead of two.
So instead of uniform string lengths of 32, I have string lengths
varying from 26 to 32.

People have no trouble logging in -- the system is consistent, it
always mishashes the password the same way -- but I would like to
repair the situation. Obviously there are more theoretical collisions
in a 26 digit hash than in a 32 digit. However, the only solution I
can see is to use the incorrect hash to log someone in, then
immediately (while the password is still in memory) recompute the
proper hash and save that.

Given a correct hash string s0 and an incorrect one s1, it's possible
to tell whether s1 should have been s0, by going two digits at a time
in s0 and consuming digits one or two at a time from s1. A regular
expression could probably even do it. However, given an incorrect hash
string s1, there's no way to know where to insert the missing zeroes
to get the proper s0. Right? 827CCBEEA8A706C4C34A16891F84E7B might
have been meant to be 827CCB0EEA8A706C4C34A16891F84E7B, or
827CCBEEA08A706C4C34A16891F84E7B, or
827CCBEEA8A706C4C34A16891F84E07B.

Am I missing anything?

(This probably doesn't really belong in a SQL Server group, but I'm
not sure where else to put it. I am storing the values in a SQL Server
database, but all the computation is done client-side.)
.

Relevant Pages

  • Re: long index strings
    ... I'm sure breaking a long string into 20 byte segments would work, ... What I was hoping for was a way to compute a mathematical hash such ... as MD5 in Filemaker. ... What are the requirements for writing a plug-in of your own? ...
    (comp.databases.filemaker)
  • Re: "Collision for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD"
    ... this was the Year of Doom for cryptographic hash functions. ... These go into great detail on the SHA-0 and MD5 collisions ... Difficulty in the former is called "collision resistance", ... you probably meant to say was "I can find a *different* string whose ...
    (comp.os.linux.security)
  • RE: Need C# coding for MD5 Algorithm
    ... implementations of the MD5 hash algorithm inherit using C# ... // a 32 character hexadecimal string. ... // The MD5 hash of Hello World! ... Need C# coding for MD5 Algorithm ...
    (microsoft.public.dotnet.general)
  • md5.hexdigest() converting unicode string to ascii
    ... I'm trying to get a MD5 hash of a registry key value on Windows 2000 ... The registry value is a string which is stored as a unicode ...
    (comp.lang.python)
  • Re: How to write a diff in VB6 for comparing two xml files?
    ... No, the best you could do is to read both into string and use StrCompbut it's inefficient and, but using the hash ... Private Declare Function CryptAcquireContext Lib "AdvAPI32.dll" Alias _ ... Dim HashAAs Byte, HashLenA As Long ...
    (microsoft.public.vb.general.discussion)