Bugtraq mailing list archives

Re: MD5 To Be Considered Harmful Someday

From: Gandalf The White <gandalf () digital net>
Date: Tue, 07 Dec 2004 22:36:27 -0600

Greetings and Salutations:

In my first e-mail I meant to congratulate Dan Kaminsky for the fine work
and write-up he did.  Excellent.

On 12/7/04 10:01 PM, "David Schwartz" <davids () webmaster com> wrote:

From my reading it appears that you need the original source to create the
doppelganger blocks.  It also appears that given a MD5 hash you could not
create a input that would give that MD5 back.  Passwords encoded with MD5
would not fall prey to your discovery.  Is this correct?


Correct. You will never be able to find the input given an MD5 hash. It
might be possible to, eventually, come up with an input that has the same
hash given just the hash, but you could never know if that was the original
input or not. (At least, not in general.)


That is the worry that I have for MD5 hashed passwords.  It doesn't matter
that you get the *correct* password, just that you have input that will hash
(collide) to the correct MD5 hash.

What I am worried about is the integrity of MD5 hashed passwords.  This
concern is for both Cisco and *NIX passwords.  Lets say that I have a
password:
"ThisIsMySecretPassphrase" MD5 = $1$Vjuf$t5QYnzXL0Sy4tThvqKDGa1

Lets say that I am very smart and I can use software that is able to
generate a collision in the passwords such that the MD5 hashes are the same,
say for example:
"AshEr37WesW28Er4E2" MD5 = $1$Vjuf$t5QYnzXL0Sy4tThvqKDGa1

It does not matter that I don't know the correct password, I have a password
that collides into the correct hash.  I can log into the system with my
generated password.

I just want to make sure that the MD5 hash passwords don't end up being as
easy to compute as the Cisco 7 passwords or the NTLM passwords.  It actually
is beginning to sound like there might be enough of a hole in MD5 that "we"
(collectively) had better start working on SHA-2 hashed passwords ...

Ken

---------------------------------------------------------------
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis - Gandalf The White - gandalf () digital net - O- TINLC
WWW Page - http://digital.net/~gandalf/
Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html
Trolls crossposts - http://digital.net/~gandalf/trollfaq.html

Current thread:

MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 07)
- Re: MD5 To Be Considered Harmful Someday Gandalf The White (Dec 07)
  - Re: MD5 To Be Considered Harmful Someday Tim (Dec 08)
    - Re: MD5 To Be Considered Harmful Someday Dragos Ruiu (Dec 08)
    - Re: MD5 To Be Considered Harmful Someday David F. Skoll (Dec 08)
  - Re: MD5 To Be Considered Harmful Someday Joel Maslak (Dec 08)
    - Re: MD5 To Be Considered Harmful Someday Steve Friedl (Dec 08)
  - RE: MD5 To Be Considered Harmful Someday David Schwartz (Dec 08)
    - Re: MD5 To Be Considered Harmful Someday Gandalf The White (Dec 08)
    - Re: MD5 To Be Considered Harmful Someday Keith Oxenrider (Dec 08)
    - Re: MD5 To Be Considered Harmful Someday Paul Wouters (Dec 08)
    - Re: MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 08)
    - Re: MD5 To Be Considered Harmful Someday Paul Wouters (Dec 08)
    - Re: MD5 To Be Considered Harmful Someday Adam Shostack (Dec 09)
    - Re: MD5 To Be Considered Harmful Someday Solar Designer (Dec 08)
    - Re: MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 08)
    - Re: MD5 To Be Considered Harmful Someday Pavel Kankovsky (Dec 09)
    - Re: MD5 To Be Considered Harmful Someday Solar Designer (Dec 13)
    - Re: MD5 To Be Considered Harmful Someday George Georgalis (Dec 08)

(Thread continues...)