Re: is MD5 finally dead?

[Michael Samuel <mik () miknet net>]

Hi,

On 5 November 2014 15:21, Kurt Seifried <kseifried () redhat com> wrote:
> http://natmchugh.blogspot.co.uk/2014/10/how-i-created-two-images-with-same-md5.html
>
> It seems like MD5 should probably be classed with DES as instant CVE
> win, either now, or pretty soon....

This is the same chosen-prefix attack that was used to forge
certificates.  Using md5 in
a collision-hostile environment is definitely CVE worthy, and has been
for a while. (BTW,
no CVE for rsync yet)

In the case of an unknown-prefix, HMAC[1] or anything requiring a preimage, it's
just hardening to use swap out MD5 (and SHA-1).

[1] Unless you accidentally swap the key and data fields!