A company I recently worked for had a web service that they were securing with an md5 function. e.g.
The idea is, that each user will be identified and basically 'logged on' to the service via a 16-character key that only they have. This 'security mechanism' works by computing the md5 of the request and the key, e.g.
url - http://webservice.com/servicefunction.xml?id=123&msg=Hello&md5=a0dd9f...-the generated md5 function..
(where it is a build of the request along with the key appended at the end. this is re-built on the server by re-generating the md5 and looking for a hash match)
md5 = id123msgHelloa0dd9f...
I realize that this can be brute-forced, much like people are putting together rainbow tables and massive databases for passwords. However, the computational time to do something like this requires some serious processing power. But, the potential list of matches as a result of the brute force are relatively small, and can be tried one-by-one until a successful response is generated by the server.
The other thing is - since you already know everything that went into the md5 hash, including the md5 result, directly in the url, is it possible to create a tunneling program much like the way people are building md5 collision programs, to accomplish the same task of finding the 4-5 unknown blocks that went into the md5? I would expect if that is possible, it should generate a list of possible keys just like standard brute forcing, and also take considerably less processing time... but is that a possibility?
What are your suggestions? Is it reasonable to suggest that using md5 hashes in this manner to secure a web service is inherently insecure? And, is there a better mechanism as an alternative security option than public/private key encryption in this case?
Thank you all for your input and suggestions...