Bugtraqmailing list archives
RE: MD5 To Be Considered Harmful Someday
From: "David Schwartz" <davids () webmaster com>
Date: Tue, 7 Dec 2004 20:01:13 -0800
From my reading it appears that you need the original source to create thedoppelganger blocks. It also appears that given a MD5 hash you could notcreate a input that would give that MD5 back. Passwords encoded with MD5would not fall prey to your discovery. Is this correct?
Correct. You will never be able to find the input given an MD5 hash. Itmight be possible to, eventually, come up with an input that has the samehash given just the hash, but you could never know if that was the originalinput or not. (At least, not in general.)
Unfortunately when "The Press" publicized the MD5 hash discoveryby Joux and Wang it almost sounded like "The Press" wassurprised to find collisions in the MD5 domain
Lots of people were surprised. We all knew we were there, and we all knewthey'd be found eventually. I don't think many people suspected, however,that they would be found quite so soon. Some of the early "mainstream"articles missed the boat, of course.
(intuitive to me, a limited number of outputs anda infinitenumber of inputs = Collisions). I assume that a "good" hash would have aeven distribution of collisions across the domain and that thelarger numberof bits for the output the better the hash (assuming no cryptographicalgorithm errors).
Yes. At this point, MD5 should no longer be used for applications where anadversary might have access to the data that is being signed. That meansit's no longer suitable for signing certificates or authenticating data sentover a peer-to-peer network. SHA1 with 160-bits is still, as far as we know,suitable for all of these purposes. I generally advise not using MD5 for any applications except (P)RNGs and asa non-cryptographically-secure checksum. DS
Current thread:
- MD5 To Be Considered Harmful SomedayDan Kaminsky (Dec 07)
- Re: MD5 To Be Considered Harmful SomedayGandalf The White (Dec 07)
- Re: MD5 To Be Considered Harmful SomedayTim (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayDragos Ruiu (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayDavid F. Skoll (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayJoel Maslak (Dec 08)
- Re: MD5 To Be Considered Harmful SomedaySteve Friedl (Dec 08)
- RE: MD5 To Be Considered Harmful SomedayDavid Schwartz (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayGandalf The White (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayKeith Oxenrider (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayPaul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayDan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayPaul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayAdam Shostack (Dec 09)
- Re: MD5 To Be Considered Harmful SomedayTim (Dec 08)
- Re: MD5 To Be Considered Harmful SomedaySolar Designer (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayDan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful SomedayPavel Kankovsky (Dec 09)
- Re: MD5 To Be Considered Harmful SomedaySolar Designer (Dec 13)
- Re: MD5 To Be Considered Harmful SomedayGandalf The White (Dec 07)