RE: Hashes,File protection,etc

["Rich Cower" <cower () mindspring com>]

Berson attempted a differential cryptanalysis against a single round (MD5
has
4 rounds), but this attack is ineffective on all four rounds. Bosselaers and
den Boer
produced an attack that does produce collisions using the compression
function. This
doesn't lend itself to attacks of MD5, it does demonstrate that the design
principle
of producing a collision resistant compression function was violated.

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Sent: Tuesday, October 15, 2002 8:46 AM
To: Tony
Cc: vuln-dev () securityfocus com
Subject: Re: Hashes,File protection,etc


On Mon, 14 Oct 2002 17:04:37 EDT, Tony said:

> Does anyone have a reference/link to any well known md5 vulnerabilities.
> I remeber reading something about them awhile back but couldn't google
> up anything. Also , are there any arguements *against* using md5? Should
> persons be using sha1 instead ?

As far as I know, nobody has managed to produce an actual MD5 hash
collision.
Unless there's a *really major* break, which would be Big News, the
resources
needed to exploit md5 itself are *waaay* past any that any attacker might
have
access to.  The *BIG* vulnerability is the same as it's always been - if the
attacker can replace the foobar.tar.gz file with a trojaned copy, they can
replace the plaintext file that has the checksums in it too.  A bigger worry
is that people won't even bother checking - a little birdie told me that the
recent Sendmail trojan was out there for a week mostly because *nobody
bothered
checking the md5sum*.

Bottom line - given current state-of-the-art, even *IF* there exists
somebody who
can actually exploit MD5 itself, it would be much easier for them to arrange
things so you were comparing the trojaned file against a trojaned
checksum....
--
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech