Bugtraqmailing list archives
Re: MD5 To Be Considered Harmful Someday
From: Gandalf The White <gandalf () digital net>
Date: Tue, 07 Dec 2004 22:36:27 -0600
Greetings and Salutations:In my first e-mail I meant to congratulate Dan Kaminsky for the fine workand write-up he did. Excellent.On 12/7/04 10:01 PM, "David Schwartz" <davids () webmaster com> wrote:
From my reading it appears that you need the original source to create thedoppelganger blocks. It also appears that given a MD5 hash you could notcreate a input that would give that MD5 back. Passwords encoded with MD5would not fall prey to your discovery. Is this correct?Correct. You will never be able to find the input given an MD5 hash. Itmight be possible to, eventually, come up with an input that has the samehash given just the hash, but you could never know if that was the originalinput or not. (At least, not in general.)
That is the worry that I have for MD5 hashed passwords. It doesn't matterthat you get the *correct* password, just that you have input that will hash(collide) to the correct MD5 hash.What I am worried about is the integrity of MD5 hashed passwords. Thisconcern is for both Cisco and *NIX passwords. Lets say that I have apassword:"ThisIsMySecretPassphrase" MD5 = $1$Vjuf$t5QYnzXL0Sy4tThvqKDGa1Lets say that I am very smart and I can use software that is able togenerate a collision in the passwords such that the MD5 hashes are the same,say for example:"AshEr37WesW28Er4E2" MD5 = $1$Vjuf$t5QYnzXL0Sy4tThvqKDGa1It does not matter that I don't know the correct password, I have a passwordthat collides into the correct hash. I can log into the system with mygenerated password.I just want to make sure that the MD5 hash passwords don't end up being aseasy to compute as the Cisco 7 passwords or the NTLM passwords. It actuallyis beginning to sound like there might be enough of a hole in MD5 that "we"(collectively) had better start working on SHA-2 hashed passwords ...Ken---------------------------------------------------------------Do not meddle in the affairs of wizards for they are subtle andquick to anger.Ken Hollis - Gandalf The White - gandalf () digital net - O- TINLCWWW Page -http://digital.net/~gandalf/Trace E-Mail forgery -http://digital.net/~gandalf/spamfaq.htmlTrolls crossposts -http://digital.net/~gandalf/trollfaq.html
Current thread:
- MD5 To Be Considered Harmful SomedayDan Kaminsky (Dec 07)
- Re: MD5 To Be Considered Harmful SomedayGandalf The White (Dec 07)
- Re: MD5 To Be Considered Harmful SomedayTim (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayDragos Ruiu (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayDavid F. Skoll (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayJoel Maslak (Dec 08)
- Re: MD5 To Be Considered Harmful SomedaySteve Friedl (Dec 08)
- RE: MD5 To Be Considered Harmful SomedayDavid Schwartz (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayGandalf The White (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayKeith Oxenrider (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayPaul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayDan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayPaul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayAdam Shostack (Dec 09)
- Re: MD5 To Be Considered Harmful SomedayTim (Dec 08)
- Re: MD5 To Be Considered Harmful SomedaySolar Designer (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayDan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayPavel Kankovsky (Dec 09)
- Re: MD5 To Be Considered Harmful SomedaySolar Designer (Dec 13)
- Re: MD5 To Be Considered Harmful SomedayGandalf The White (Dec 07)
- Re: MD5 To Be Considered Harmful SomedayGeorge Georgalis (Dec 08)