Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hashes,File protection,etc

From: "Roland Postle" <mail () blazde co uk>
Date: Tue, 15 Oct 2002 15:39:50 +0100
Does anyone have a reference/link to any well known md5 vulnerabilities.
I remeber reading something about them awhile back but couldn't google 
up anything. Also , are there any arguements *against* using md5? Should
persons be using sha1 instead ?


Personally I'd be interested in not so well known md5 vulns too :D

From
http://www.mirrors.wiretapped.net/security/cryptography/hashes/papers/md
5-vs-sha.txt :

">-cryptanalysis ( is it safe)
 
   There is a known way of finding "pseudo collisions" for MD5.
Another term for this is that there's a free-start collision attack
against the compression funtion on MD5.  This doesn't seem to
translate into an attack on MD5 as it's actually used.
 
   There appears to be some kind of problem with SHA, as well.  The
NSA / NIST are working on a redesign.  Nobody seems to be talking
about what the problem is, though.
 

-brute force attacks (to make the same hash of a different message)

 
   MD5 has an output of 128 bits, which I think is too small for
 good security.  A collision can be found by brute force in 2**64
 operations.

...

If both algorithms are flawless, SHA will require 2**80
ops to generate a hash collision, and MD5 will require 2**64" 


The psuedocollision's paper is here
http://www.esat.kuleuven.ac.be/~cosicart/ps/AB-9300.ps.gz

then Hans Dobbertin extended the attack to proper collisions in md5's
compression function

http://www-cse.ucsd.edu/users/bsy/dobbertin.ps

He also wrote the summary 'The Status of MD5 After a Recent Attack'

ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf

If I understand correctly this means that md5 is 'one step away' from
being cracked wide open. I'd use SHA if I were you ;)

- Blazde
Previous By Date Next
Previous By Thread Next

Current thread: