[This is preliminary documentation and subject to change]

Understanding the MD5 Hash

An MD5 hash is used for sending encrypted user credentials across a network within an HTTP header. An MD5 hash, also known as the MD5 message-digest, is created by an HTTP 1.1 compliant browser such as Internet Explorer 5.0 and above, using the MD5 message-digest algorithm as defined in the RFC 1321 specification located at the World Wide Web Consortium Web site.

Note    The MD5 hash is a security improvement over base64 encoded clear text passwords, because a base64 encoded passwords that are intercepted, using a network sniffer, are a trivial matter to decode and use by an unauthorized person. A user name and password that is encrypted using the MD5 message-digest algorithm cannot be feasibly decrypted from the hash.

An MD5 hash contains a users name, password, and the name of the realm. The realm is the domain that will authenticate or reject the users credential. The users credential is the password that is encrypted within the MD5 hash.

For information about setting the realm name on an IIS server, see Configuring Digest Authentication or Configuring Advanced Digest Authentication.

MD5 Hash Properties

An MD5 hash consists of a small amount of binary data, typically no more than 160 bits, and is sent by across the network within an HTTP header. All hash values share the following properties:

• Hash length The length of the hash value is determined by the type of algorithm used, and its length does not vary with the size of the message. The most common hash value lengths are either 128 or 160 bits.
• Non-discoverability Every pair of nonidentical messages will translate into a completely different hash value, even if the two messages differ only by a single bit. Using today's technology, it is not feasible to discover a pair of messages that translate to the same hash value.
• Repeatability Each time a particular message is hashed using the same algorithm, the exact same hash value will be produced.
• Irreversibility All hashing algorithms are one-way. Given a hash value, it is infeasable to discover the password. In fact, none of the properties of the original message can be determined given the hash value alone.

For more information about the MD5 hash (message-digest) algorithm, search for RFC 1321 at the World Wide Web Consortium Web site.

© 1997-2001 Microsoft Corporation. All rights reserved.