Don't click here unless you want to be banned.

LSL Wiki : llMD5String

HomePage :: PageIndex :: RecentChanges :: RecentlyCommented :: UserSettings :: You are
string llMD5String(string src, integer nonce)

Performs a RSA Data Security, Inc. MD5 Message-Digest Algorithm on string with nonce (also known as salt). Returns a 32-character hex string. (128-bit in binary.)

The actual string used for calculating the MD5 checksum is src + ":" + (string)nonce. Take note of this if you need to check your MD5 hash outside of SL, such as within a server-side script!

llSay(0, llMD5String("Hello, Avatar!", 0)); // returns 112abd47ceaae1c05a826828650434a6

Same string on a completely different system returns the same checksum (when used with the same nonce):
$ echo -n 'Hello, Avatar!:0' | openssl md5
Example usage, with php:
$nonce = 0;
encoded = md5('Hello, Avatar!'.':'.$nonce);
echo encoded;

Q & A

Q: Wait, isn't 32 hex characters 512 bits in binary? (32 * 16 = 512)
A: No, because hex is Base 16, and binary Base 2, meaning a hex character is 4 bits. (See the hexadecimal entry.)

Q: What the hell's a "nonce"?
A: In computer security, a "nonce" is a 'number used once'. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in 'repeat attacks'. So if you wanted to have two scripts talking to each other with secure communications, you might want to consider doing something with llFrand (don't use something easily predictable like the time).
Coincidentally, "nonce" is also a good old word that means 'right now' or 'temporarily', as in, "Are we seriously going to hold it together with duct tape and bubble gum?" "For the nonce!" The etymology of the computer security term is unrelated.

Q: What encoding is used?
A: The result is the MD5 hash of the UTF-8 encoded form of the string.

Q: What happens if UTF-16 characters are passed to it?
A: UTF-16 is an encoding, not a type of character. The elements of LSL strings are Unicode characters. When passed to this call (and also presumable to the base64 encoding calls), the characters are encoded as UTF-8. UTF-8 can represent all Unicode characters. For example the INFINITY symbol is Unicode code point U+221E and is encoded in UTF-8 as the three byte sequence 0xE2 0x88 0x9E.

Functions | Communications | Crypto | MD5
Comments [Hide comments/form]
The nonce feature is absurd: For many applications you don't want it as you want to MD5 a particular string. And if one wanted to use a nonce like feature, then it turns out this is a poor one: You'd be much better off prepending a nonce than postpending it due to the way MD5 works.
-- ZarfVantongerloo (2005-07-24 09:04:24)
I added a heads-up message to the line stating how the nonce is appended. I needed to know that info for my sales tracking DB, but for some reason, every time I read this page my brain managed to tune out that line as irrelevant technical jargon. Arito Cotton finally pointed it out to me, telling me that the exact same thing had happened to him. =P
-- BeatfoxXevious (2005-11-19 15:03:02)
Is it wise to use this MD5 string on your password and pass the Nonce along with the encoded message to another object in an email? My concern here is that anyone would recognize that all passwords to decrypt a message would be 32 characters long and only contain hex characters. On the other hand, the random Nonce would allow me to change what is used as the password each time, without comprimising the real one. Still, if one digest is grabbed from the encoded message, someone could always pass the same Nonce on there own messages xored with the same digest.
-- DedricMauriac (2006-03-26 15:33:11)
MD5 is pretty weak altogether for security. It's a lot better than nothing, if you plan on doing any steady communication. True, a good hacker can sniff and spoil it pretty quick - especially if they have a publicly available pattern. But, at least it's something over clear text.
-- RobKubrick (2007-01-17 05:41:59)
Attach a comment to this page: