MD2

Question

MD2

VM-723206

SSCrazy

Points: 2964
More actions
May 21, 2009 at 9:18 pm

#205159

Comments posted to this topic are about the item MD2

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply

Alberto dbLearner Ten Centuries Points: 1246 More actions · Answer 1

This is an old hashing algorithm. There's MD3, MD4, MD5 and others called different. Somebody there with it's own hashing algorithm?

Bye

Alberto De Rossi
Microsoft Certified Solutions Associate - SQL Server
Microsoft MVP - Data Platform
Power BI User Group Lima - Community Leader

David in .AU SSCommitted Points: 1784 More actions · Answer 2

and apparently is considered insecure (MSDN Link) along with the other MD hashes. SHA is apparently the way to go instead.

Of course I don't really play in that space so can't comment as to the validity of those assertions. Any security experts care to comment?

Darren Wallace Right there with Babe Points: 774 More actions · Answer 3

David B (5/24/2009)
and apparently is considered insecure (MSDN Link) along with the other MD hashes. SHA is apparently the way to go instead.
Of course I don't really play in that space so can't comment as to the validity of those assertions. Any security experts care to comment?

I'm not a security expert but I am enough of a nerd to have enjoyed studying cryptography.

There are a couple of SHA versions out there, and the NSA has a contest on to decide on the next generation of SHA (NIST).

The MD family isn't really secure anymore and neither is SHA-1, but they range on a sliding scale of "script kiddies love it" to "just don't store national secrets".

Since secure from a cryptographer's viewpoint involves an attacker with the full resources of a large multi-national corporation or major national government I've never lost sleep over using MD5 or SHA-1 in my less that top secret applications.

Of course no hash algorithm in the world will protect from the user whose password is password.

-DW

David in .AU SSCommitted Points: 1784 More actions · Answer 4

Cool, thanks for that.

so yeah, at the end of the day it comes back to the old "Acceptable Risk" guideline.

And if I was storing anything so secret that I had to be concerned I think I would wrap the stuff up in more than a single layer of security 🙂

-d

TomThomson SSC Guru Points: 104773 More actions · Answer 5

I'm going to be pedantic here, I'm afraid.

The cryptoAPI name for the MD2 hash algorithm is not MD2, but CALG_MD2 (http://msdn.microsoft.com/en-us/library/ms904264.aspx). So MD2 is NOT the cryptoAPI name for MD2 - the "correct" answer is wrong (that didn't stop me, or probably anyone else, from ticking it though) unless of course the wrong question has been provided.

MD2 is actually the SQL Server HASHBYTES name for MD2, not the CryptoAPI name.

Referring to http://www.rfc-archive.org/getrfc.php?rfc=1319 is not very useful for information about either CryptoAPI or SQL Server. It would be better to refer to http://msdn.microsoft.com/en-gb/library/ms174415.aspx for MD2 in SQL Server.

Or if you really mean the CryptoAPI name, so that that the answer is right but the question is wrong, you should refer to the CryptoAPI reference given above.

Tom