Analysis of MD5 Algorithm Security in Password Storage
of Patient Healthcare Management Information System
Glenn Garma, Jake Catembung, Kenneth Arucan, Glydel Guillermo, Micaella Nitura
College of Computing Studies, Information and Communication Technology
Isabela State University (ISU) Cauayan City Campus
Cauayan City, Isabela, Philippines
Abstract- Hashing Algorithms has been deployed in different security Applications. One implementation of a Hashing algorithm is in
password storage. It works by converting the password into a hash code which theoretically cannot be deciphered. When sensitive
information is concerned, it is crucial to protect its content. This paper analyses the security of the MD5 Algorithm in hashing user
passwords in a Patient Healthcare Management Information System (PHMIS). We show the Avalanche Effect of different tests and
their average. We discuss the vulnerabilities of the MD5 and suggest techniques to counter these vulnerabilities.
Index Terms- Avalanche Effect; Hashing; MD5; Message Digest
I. INTRODUCTION
M ost web applications require information from the user to authenticate their access using a username and a password. These
credentials are stored in a database which are being compared with the information the user use to log into the system. If the
credentials match, the user is granted access to the application. But if the database that contains the password is compromised, the
attacker/s can gain access to the users’ account information. Nowadays, a password is stored in a database securely by using Hashing
Algorithms to convert its plaintext into a hash.
II. HASH FUNCTION
A hash is a one-way encryption function that transform a plaintext into a fixed-size hash which is computationally infeasible to invert
back to the original plaintext. A hash acts like a fingerprint of a data. If the original data was altered even by only adding a period, it
will result to a mostly different hash which no longer matches with the original data. It happens because of the Avalanche Effect as
seen in figure 1.
alc
Figure 1. Avalanche Effect
A. MD5
The MD5 (Message Digest Algorithm 5) is hash function that produces a 128-bit hash value. It was designed by Ronald Rivest in
1991 and is widely used in many security applications. It works by operating in a message 512 bits at a time. The calculation of the
message digest begins by initializing a digest value to a constant. The digest value is combined with the first 512 bits of the message
to produce a new digest value. This new digest value is then combined with the next 512 bits of the message. This process continues
until the last block of the message. If the message is not up to 512-bits, it will be padded as shown on figure 3.
� Figure 2. Generation of message digest using MD5
Figure 3. Padding until length is multiple of 512-bits
III. APPLICATION OF MD5 IN THE PHMIS
Storing plaintext password in the database is highly insecure. If a database dump is obtained, attackers can easily log into the system
using the plaintext password in the dump. The Patient Healthcare Management Information System used the MD5 algorithm to
encrypt user password. It is done by hashing the password upon account creation and saving the hashed password in the database
instead of the plaintext password. During login, the input password is hashed in a similar way, and the result is compared with the
hashed password in the database for authentication of the particular user.
IV. ANALYSIS OF MD5 ALGORITHM IN THE PHMIS
Avalanche effect is a desirable property of cryptographic algorithms, typically block ciphers and hash functions. This phenomenon is
observed when such a slight change in the plaintext results to a drastic change in the cipher text. If a hash function exhibits the
Avalanche Effect to a significant degree, it means it has a good randomization and predictions about the input is unlikely thus make it
infeasible to completely break the algorithm. A good cipher satisfy an avalanche effect of greater than 50% according to the Strict
Avalanche Criterion (SAC). The avalanche effect is measured by computing the hamming distance between the original plaintext and
the slightly altered plaintext and then dividing it by the total number of bits in the cipher text.
Table 1 shows the avalanche effect and the average avalanche effect of 9 different test passwords in the PHMIS.
V. CONCLUSION
Password encryption is a very important aspect of data security. By hashing the password before storing in the database, it prevents
unauthorized users from seeing the plaintext password. It can be done by using the MD5 algorithm which is theoretically cannot be
deciphered.
ACKNOWLEDGMENT
The authors would like to acknowledge the support and assistance of relatives, friends, colleagues, and mentor.
REFERENCES
[1] Rivest, R. The MD5 message-digest algorithm. RFC 1321, 37 (April1992).
[2] Mary Cindy Ah Kioon; ZhaoShun Wang; Shubra Deb Das, ‘Security Analysis of MD5 algorithm in Password Storage’, Proceedings of the 2nd International
Symposium on Computer, Communication, Control and Automation (ISCCCA-13)
[3] Polawat WiToolkollachit, ‘The avalanche effect of various hash functions between encrypted raw images versus non-encrypted images: A comparison study’,
Journal of the Thai Medical Informatics Association, 1, 69-82, 2016
[4] Sriram Ramanujam; Marimuthu Karuppiah, ‘Designing an algorithm with high Avalanche Effect’, IJCSNS International Journal of Computer Science and
Network Security, VOL.11 No.1, January 2011
[5] https://en.wikipedia.org/wiki/Avalanche_effect
[6] https://www.marksanborn.net/php/creating-a-secure-md5-hash-for-storing-passwords-in-a-database/
