Re: MD5 algorithm considered toxic (and harmful)

[Valdis.Kletnieks () vt edu]

On Sat, 01 Dec 2007 05:06:36 PST, Kristian Erik Hermansen said:
> I know of many commercial security products which still utilize MD5 to
> prove integrity of the data they distribute to customers.  This should
> no longer be considered appropriate.  Now that tools are readily
> available to exploit newer MD5 collision research, I think it is safe
> to say that the public should retire its usage for good.

Admittedly, MD5 is on its last legs.  However, please note that the current
state of the art for MD5 collisions is "create two plaintexts that collide
with the same (but unpredictable) MD5 hash".  That's what these binaries
demonstrate.

What is still *not* known to be doable is "given a plaintext that has a
pre-specified MD5 hash, compute a second plaintext with the same hash".
So publishing the MD5 hash of the binary is still safe - for now.

If I was a vendor, I'd be publishing both MD5 and SHA-256 for the data.

(Note that strictly speaking, what you *really* want is a PGP-signed or
otherwise authenticated MD5/SHA-256 hash.  Otherwise, if I'm an attacker,
I can just splat a new binary up, and a new MD5SUMS file that lists the
MD5 sum for the backdoored binaries.  If anything, more people manage to
screw *this* part up than the much lesser offense of still using MD5 rather
than something from the SHA-2 family)....

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/