MD5 Hash for Torque
by Dave Bacher · 07/30/2003 (12:29 pm) · 13 comments
Download Code File
Add the three attached files to your project and recompile.
In cs, you can use:
getStringMD5("test") to get the MD5 hash of any string.
For passwords verification, you can do something like:
return getStringMD5(%nonce @ getStringMD5(%password));
Where %nonce is a value that the server sends that changes with each request, and %password is the user's password. More data (of course) can be added in to make the string harder to break.
Usually, you would store the MD5 hash of the password in the database, and not the raw password. The inclusion of a one-time variable makes it more difficult to launch a replay attack, but does not prevent the possibility altogether. You really want to always have a one-time value included in there.
This is "close to" how HTTP Digest Authentication works; it has the same weaknesses, which are well known, to Digest Authentication. But it's at least better than plaintext by a bit, and MD5 is better than CRC32 for this task, because it makes more bits of password (so it's less likely that two passwords could produce the same value).
Edit: Note that netInterface has an MD5 implementation, but it didn't look like it could be used for just any MD5 task you wanted, so I just used the RSA reference implementation.
Add the three attached files to your project and recompile.
In cs, you can use:
getStringMD5("test") to get the MD5 hash of any string.
For passwords verification, you can do something like:
return getStringMD5(%nonce @ getStringMD5(%password));
Where %nonce is a value that the server sends that changes with each request, and %password is the user's password. More data (of course) can be added in to make the string harder to break.
Usually, you would store the MD5 hash of the password in the database, and not the raw password. The inclusion of a one-time variable makes it more difficult to launch a replay attack, but does not prevent the possibility altogether. You really want to always have a one-time value included in there.
This is "close to" how HTTP Digest Authentication works; it has the same weaknesses, which are well known, to Digest Authentication. But it's at least better than plaintext by a bit, and MD5 is better than CRC32 for this task, because it makes more bits of password (so it's less likely that two passwords could produce the same value).
Edit: Note that netInterface has an MD5 implementation, but it didn't look like it could be used for just any MD5 task you wanted, so I just used the RSA reference implementation.
About the author
#2
06/18/2005 (3:15 am)
Wonderful resource!! Thank you Dave
#3
05/30/2006 (4:37 am)
Does anyone have an md5file? I gave it a go this weekend and my c++ isn't strong enough yet. 
#5
02/19/2007 (10:45 am)
Very much appreciated, thank you Dave!
#6
11/11/2007 (7:34 pm)
Great resource, this has been very helpful to me. Thank you a lot.
#7
01/28/2008 (3:04 pm)
It looks good, but one thing: how do you convert the MD5 hash into a string? 
#8
04/30/2008 (6:15 am)
You cant Nathan, MD5 is one way.
#9
Hashing algorithms are by definition one-way, meaning that the math used cannot convert a hash back into the original value.
So how does one use them for authentication, to build an example of the most common usage, if they're one way? Simple: you compare the hash sent by the client to the one the server is expecting. This allows you to send a password in an otherwise-unusable format over insecure connections.
To make it tougher to find a collision (which is what it's called when two totally different chunks of data can create the same hash), one can use all sorts of trickery, and the more client-specific the trickery is the more difficult it'll be to fake out the recipient. One of my personal favorites for passwords is to use the password multiple times along with the first and last characters and the length of the password as the string to convert, and hash the whole lot.
09/15/2008 (11:14 am)
@Nathan:Hashing algorithms are by definition one-way, meaning that the math used cannot convert a hash back into the original value.
So how does one use them for authentication, to build an example of the most common usage, if they're one way? Simple: you compare the hash sent by the client to the one the server is expecting. This allows you to send a password in an otherwise-unusable format over insecure connections.
To make it tougher to find a collision (which is what it's called when two totally different chunks of data can create the same hash), one can use all sorts of trickery, and the more client-specific the trickery is the more difficult it'll be to fake out the recipient. One of my personal favorites for passwords is to use the password multiple times along with the first and last characters and the length of the password as the string to convert, and hash the whole lot.
#10
09/22/2008 (1:41 pm)
Amazing resource Dave! 
#11
@All: This stillworks in TGEA 1.7.1 and AFX 1.1.2 ... the only change I had to make was remove the line:
03/17/2009 (1:31 pm)
@Dave: Thanks for the resource. Has come in very handy with my authentication code that ties in to my web server. :)@All: This stillworks in TGEA 1.7.1 and AFX 1.1.2 ... the only change I had to make was remove the line:
#include "platform/gameInterface.h"from md5console.cc. :)
#12
Change:
to read
Also, remove
07/10/2009 (5:26 pm)
For TGEA 1.8.1:Change:
#include "core/fileStream.h"
to read
#include "core/stream/fileStream.h"
Also, remove
#include "platform/gameInterface.h"
#13
Any ideas why?
08/24/2010 (6:38 pm)
In T3D 1.1 Beta 2 this stopped working. I get the following link errors:md5console.obj : error LNK2001: unresolved external symbol "void __cdecl MD5Final(unsigned char * const,struct MD5_CTX &)" (?MD5Final@@YAXQAEAAUMD5_CTX@@@Z) md5console.obj : error LNK2001: unresolved external symbol "void __cdecl MD5Update(struct MD5_CTX &,unsigned char *,unsigned int)" (?MD5Update@@YAXAAUMD5_CTX@@PAEI@Z) md5console.obj : error LNK2001: unresolved external symbol "void __cdecl MD5Init(struct MD5_CTX &)" (?MD5Init@@YAXAAUMD5_CTX@@@Z)
Any ideas why?
Torque Owner Korpos