RE: MD5 To Be Considered Harmful Someday

["David Schwartz" <davids () webmaster com>]

> From my reading it appears that you need the original source to create the
> doppelganger blocks.  It also appears that given a MD5 hash you could not
> create a input that would give that MD5 back.  Passwords encoded with MD5
> would not fall prey to your discovery.  Is this correct?

        Correct. You will never be able to find the input given an MD5 hash. It
might be possible to, eventually, come up with an input that has the same
hash given just the hash, but you could never know if that was the original
input or not. (At least, not in general.)

> Unfortunately when "The Press" publicized the MD5 hash discovery
> by Joux and Wang it almost sounded like "The Press" was
> surprised to find collisions in the MD5 domain

        Lots of people were surprised. We all knew we were there, and we all knew
they'd be found eventually. I don't think many people suspected, however,
that they would be found quite so soon. Some of the early "mainstream"
articles missed the boat, of course.

> (intuitive to me, a limited number of outputs and
> a infinite
> number of inputs = Collisions).  I assume that a "good" hash would have a
> even distribution of collisions across the domain and that the
> larger number
> of bits for the output the better the hash (assuming no cryptographic
> algorithm errors).

        Yes. At this point, MD5 should no longer be used for applications where an
adversary might have access to the data that is being signed. That means
it's no longer suitable for signing certificates or authenticating data sent
over a peer-to-peer network. SHA1 with 160-bits is still, as far as we know,
suitable for all of these purposes.

        I generally advise not using MD5 for any applications except (P)RNGs and as
a non-cryptographically-secure checksum.

        DS