Re: is MD5 finally dead?

[Michael Samuel <mik () miknet net>]

On 5 November 2014 15:45, Alex Gaynor <alex.gaynor () gmail com> wrote:
> As far as I can tell, HMAC doesn't actually require pre-image resistance,
> it requires that the compression function used by the has be a PRF -- or at
> least that's what the HMAC paper says. Are these two formulations
> equivalent?

HMAC fits in the unknown-prefix category when used correctly.

Not sure about general proofs, but the current collision attacks on MD5 won't
work without knowing the IHV ahead of time, and if you know the HMAC key
you don't need collisions.

> > In the case of an unknown-prefix, HMAC[1] or anything requiring a
> > preimage, it's
> > just hardening to use swap out MD5 (and SHA-1).
> >
> > [1] Unless you accidentally swap the key and data fields!

And to elaborate - if you swap the key and data fields, you can use a normal
md5 collision, then XOR against opad.