Bugtraq mailing list archives
RE: MD5 To Be Considered Harmful Someday
From: "David Schwartz" <davids () webmaster com>
Date: Tue, 7 Dec 2004 20:01:13 -0800
From my reading it appears that you need the original source to create the doppelganger blocks. It also appears that given a MD5 hash you could not create a input that would give that MD5 back. Passwords encoded with MD5 would not fall prey to your discovery. Is this correct?
Correct. You will never be able to find the input given an MD5 hash. It might be possible to, eventually, come up with an input that has the same hash given just the hash, but you could never know if that was the original input or not. (At least, not in general.)
Unfortunately when "The Press" publicized the MD5 hash discovery by Joux and Wang it almost sounded like "The Press" was surprised to find collisions in the MD5 domain
Lots of people were surprised. We all knew we were there, and we all knew they'd be found eventually. I don't think many people suspected, however, that they would be found quite so soon. Some of the early "mainstream" articles missed the boat, of course.
(intuitive to me, a limited number of outputs and a infinite number of inputs = Collisions). I assume that a "good" hash would have a even distribution of collisions across the domain and that the larger number of bits for the output the better the hash (assuming no cryptographic algorithm errors).
Yes. At this point, MD5 should no longer be used for applications where an adversary might have access to the data that is being signed. That means it's no longer suitable for signing certificates or authenticating data sent over a peer-to-peer network. SHA1 with 160-bits is still, as far as we know, suitable for all of these purposes. I generally advise not using MD5 for any applications except (P)RNGs and as a non-cryptographically-secure checksum. DS
Current thread:
- MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 07)
- Re: MD5 To Be Considered Harmful Someday Gandalf The White (Dec 07)
- Re: MD5 To Be Considered Harmful Someday Tim (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Dragos Ruiu (Dec 08)
- Re: MD5 To Be Considered Harmful Someday David F. Skoll (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Joel Maslak (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Steve Friedl (Dec 08)
- RE: MD5 To Be Considered Harmful Someday David Schwartz (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Gandalf The White (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Keith Oxenrider (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Paul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Paul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Adam Shostack (Dec 09)
- Re: MD5 To Be Considered Harmful Someday Tim (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Solar Designer (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Pavel Kankovsky (Dec 09)
- Re: MD5 To Be Considered Harmful Someday Solar Designer (Dec 13)
- Re: MD5 To Be Considered Harmful Someday Gandalf The White (Dec 07)