I'm in a game company, and we use md5 algorithm to do the charge order check.
Here is how we do it:
On both the Pay-center server and our game server there is a common "secret-key".
Pay-center send an add game coin request to our game server.
In which there are many conventional parameters and a special parameter named "sign"When we received a request on the game server, we use md5("all the conventional parameters" + "secret key") to produce a result.
If the result is equal to "sign" parameter, we'll consider this charge order a valid one.
My question are:
If someone blindly using a random-generated "pseudo-secret-key" to doing md5 computation with all other parameters to produce a sign.
And by coincidence, he made a valid sign with one of his "pseudo-secret-key".
How many times does he need to try to produce a valid sign for each group of "conventional parameters"?
How many chances are there the
pseudo-secret-key
is identical to my originalsecret-key
when it happens to produce a validsign
?If the
pseudo-secret-key
is different with my originalsecret-key
, is it nearly impossible to use thepseudo-key
to produce a valid sign using another different combinations ofconventional parameters
?
The basic: md5 hash result is uniformly distributed. That's a chance of 1 out of 2^128.
t
attempts :1 - (1 - 1 / (2 ^ 128)) ^ t
. For example, after 2^128 attempts he has a chance of about 1/3.1/(2^128)
.