Vulnerability Development mailing list archives

Re: Hashes,File protection,etc

From: Valdis.Kletnieks () vt edu
Date: Tue, 15 Oct 2002 12:27:39 -0400

On Tue, 15 Oct 2002 15:39:50 BST, Roland Postle <mail () blazde co uk>  said:

   MD5 has an output of 128 bits, which I think is too small for
 good security.  A collision can be found by brute force in 2**64
 operations.


Assuming 10,000 trials a second, this will take 58,494,242 cpu *years*.
(an 'md5sum' of a 17M file on my laptop takes 0.110 seconds on a 1.6G Pentium4,
so 10K/sec trials of 17K texts is "in the ballpark" - even assuming a processor
that's 10x faster gets you down only to 5M cpu-years).

And notice that this is "a collision".  At that point, you have 2 essentially
random plaintexts that happen to have the same MD5 hash, and said hash is
unrelated to anything else.  Most likely, neither one resembles *in the
slightest* something "reasonable" (for instance, if you're expecting a 1.8M
source tarball, it should be in tar format and somewhere near 1.8M in size).
Forcing a collision to *a specific known hash* is a lot harder - and at that
point you'll probably still have an essentially random file.  And unlike
beating a CRC-32, there's probably no efficient way to take a *given* file, and
find a way to *modify* that file and still maintain the SAME md5sum.

And remember that 58 million CPU years is *per collision*.  Are there *any*
targets who's threat model *really* includes this?  Probably not for private
individuals - there's cheaper ways to do it (Marcus Ranum's "rubber hose
cryptography" and related methods).  Inter-bank encryption codes?  If they
change them once per year, you'll need a 50 million CPU machine for it to
do you any good.  I suspect even nuclear launch codes can be obtained with
less investment of resources....

So - do *YOU* have anything secured by an md5sum that's worth 58 million
cpu-years to break?  If you don't, then md5 is 'secure enough'.  If you do,
I hope you have all the physical security issues and personnel security
issues dealt with... :)
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

Re: /instmsg/alias/annoying_web_logs ;), (continued)
- - - Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
    - Re: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 15)
    - Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
    - RE: /instmsg/alias/annoying_web_logs ;) Elan Hasson (Oct 15)
    - RE: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 16)
    - Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 16)
    - Re: /instmsg/alias/annoying_web_logs ;) Chip McClure (Oct 15)
    - RE: /instmsg/alias/annoying_web_logs ;) Shawn K. Hall (RA/Security) (Oct 20)
    - Re: Hashes,File protection,etc Tony (Oct 15)
    - Re: Hashes,File protection,etc Roland Postle (Oct 15)
    - Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 15)
    - Re: Hashes,File protection,etc Roland Postle (Oct 16)
    - Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 16)
    - Re: Hashes,File protection,etc Bob Mathews (Oct 16)
    - Re: Hashes,File protection,etc Jose Nazario (Oct 15)
    - Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 15)
    - RE: Hashes,File protection,etc Rich Cower (Oct 15)
    - Re: Hashes,File protection,etc Eric Fritzges (Oct 15)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
  - RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 12)

(Thread continues...)