MD2

  • Comments posted to this topic are about the item MD2

  • This is an old hashing algorithm. There's MD3, MD4, MD5 and others called different. Somebody there with it's own hashing algorithm?

    Bye

    Alberto De Rossi
    Microsoft Certified Solutions Associate - SQL Server
    Microsoft MVP - Data Platform
    Power BI User Group Lima - Community Leader

  • and apparently is considered insecure (MSDN Link) along with the other MD hashes. SHA is apparently the way to go instead.

    Of course I don't really play in that space so can't comment as to the validity of those assertions. Any security experts care to comment?

  • David B (5/24/2009)


    and apparently is considered insecure (MSDN Link) along with the other MD hashes. SHA is apparently the way to go instead.

    Of course I don't really play in that space so can't comment as to the validity of those assertions. Any security experts care to comment?

    I'm not a security expert but I am enough of a nerd to have enjoyed studying cryptography.

    There are a couple of SHA versions out there, and the NSA has a contest on to decide on the next generation of SHA (NIST).

    The MD family isn't really secure anymore and neither is SHA-1, but they range on a sliding scale of "script kiddies love it" to "just don't store national secrets".

    Since secure from a cryptographer's viewpoint involves an attacker with the full resources of a large multi-national corporation or major national government I've never lost sleep over using MD5 or SHA-1 in my less that top secret applications.

    Of course no hash algorithm in the world will protect from the user whose password is password.

    -DW

  • Cool, thanks for that.

    so yeah, at the end of the day it comes back to the old "Acceptable Risk" guideline.

    And if I was storing anything so secret that I had to be concerned I think I would wrap the stuff up in more than a single layer of security 🙂

    -d

  • I'm going to be pedantic here, I'm afraid.

    The cryptoAPI name for the MD2 hash algorithm is not MD2, but CALG_MD2 (http://msdn.microsoft.com/en-us/library/ms904264.aspx). So MD2 is NOT the cryptoAPI name for MD2 - the "correct" answer is wrong (that didn't stop me, or probably anyone else, from ticking it though) unless of course the wrong question has been provided.

    MD2 is actually the SQL Server HASHBYTES name for MD2, not the CryptoAPI name.

    Referring to http://www.rfc-archive.org/getrfc.php?rfc=1319 is not very useful for information about either CryptoAPI or SQL Server. It would be better to refer to http://msdn.microsoft.com/en-gb/library/ms174415.aspx for MD2 in SQL Server.

    Or if you really mean the CryptoAPI name, so that that the answer is right but the question is wrong, you should refer to the CryptoAPI reference given above.

    Tom

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply