Movatterモバイル変換

[0]ホーム
URL:

Home page logo
bugtraq logo

Bugtraqmailing list archives

PreviousBy DateNext
PreviousBy ThreadNext

Re: MD5 To Be Considered Harmful Someday

From: Dan Kaminsky <dan () doxpara com>
Date: Wed, 08 Dec 2004 14:03:56 -0800
The algorithm is far more complicated than "raw" MD5.  It consists of1000 iterations of MD5 with both output from the previous iterationand the original input (plaintext password and salt) being rolled intothe hash on each iteration.
Brute force work efforts like password cracking tend to be anexponential times a constant -- say, 2^32 operations that take 100mseach.  Increasing the complexity of a legitimate password verificationincreases the constant.  Interestingly, the more efficient a legitimateverifier becomes, the more efficient your brute forcer is.
Not that brute force is the only approach available.  There are numerousattacks that might break "pure" MD5 but fail given such massiveoverlapping.  There are, however, others that abuse extra rounds togreat effect.  For instance, SHA-0 is an 80 round algorithm.  Biham'spaper (http://eprint.iacr.org/2004/146/) showed that an 82 round variantis actually much weaker.  And Joux's unreleased paper makes it veryclear that simply stacking primitives doesn't create nearly the level ofcombinatorial complexity that you'd expect.
Of course, as I've said elsewhere passwords really aren't at allvulnerable to the MD5 attack.  But, if they were, extra iterationswouldn't be helpful.  Once the first round collided, all future roundswould continue to collide.
--Danwww.doxpara.com
PreviousBy DateNext
PreviousBy ThreadNext
Current thread:




[8]ページ先頭


©2009-2026 Movatter.jp