Re: Report of collision-generation with MD5

From: Mohacsi Janos (mohacsi_at_niif.hu)
Date: 08/19/04

  • Next message: George F. Costanzo: "RE: Report of collision-generation with MD5"
    Date: Thu, 19 Aug 2004 17:40:10 +0200 (CEST)
    To: Jan Grant <Jan.Grant@bristol.ac.uk>
    
    

    Hi!

    On Thu, 19 Aug 2004, Jan Grant wrote:

    > On Wed, 18 Aug 2004, Brett Glass wrote:
    >
    >> At 02:54 PM 8/18/2004, Chris Doherty wrote:
    >>
    >>> what you can do, if you have a proper attack formula, is find *a* message
    >>> that produces *that one hash*. that is, if I have message M which produces
    >>> hash H, I can use the attack to find *a* message M' which will also
    >>> produce hash H.
    >>
    >> The thing is, passwords are short and have limited entropy. Chances are,
    >> if you find a password that produces the same hash, it's M.
    >
    > Details in the paper are few, but I don't think what Chris describes in
    > the snippet Brett quotes is what's necessarily happening. That is, for
    > any given MD5 initial state, they seem to be saying that they can find
    > two related messages that produce the same hash. NOT that they
    > necessarily can find a message with the same has as a _given_ message.
    > Which I guess means that they can tack two different strings on the end
    > of any arbitrary file (since they claim they can attack an arbitrary IV)
    > and the resulting two files will also have the same MD5 hash, but that
    > won't be the MD5 of the original. The two appended strings are
    > effectively random, and differ from each other only in a few bits.
    >

    To avoid the possible attack probably we should start adding additional
    digest to MD5 e.g. - SHA1. Probably some flexible merthod should be used
    as in NetBSD pkgsrc: distinfo files says what kind of hash are available:
    digest(1) utity computes according to it and make process does comparison
    for each available hash. If any fails it reports.

    Multiple hash can mitigate the possibility of attack.

    Regards,

    Janos Mohacsi
    Network Engineer, Research Associate
    NIIF/HUNGARNET, HUNGARY
    Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: George F. Costanzo: "RE: Report of collision-generation with MD5"

    Relevant Pages

    • Re: Hashing of short fixed length messages
      ... You actually have 55 bytes of useful payload before MD5 requires a 2nd ... to present a traditional hash interface since the ... The input itself is a hash too, so I can ignore related key attack, ... to a speed-up factor of two, but I don't think it's secure. ...
      (sci.crypt)
    • Re: The answers: Lost password + MD5 ?
      ... than the brute-force attack of 2**80 operations based on the hash length. ... This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, ... We wondered if storing passwords hashed as MD5 was safe. ... > (That is called a collision, ...
      (comp.lang.php)
    • RE: SHA-1 vs. triple-DES for password encryption?
      ... generate a hash, the faster a brute force attack is. ... For a demonstration MD5 brute force password cracker check out ...
      (SecProg)
    • Re: [Full-disclosure] anybody know good service for cracking md5?
      ... Actually dictionary attacks seem to work quite well, ... and/or well known passwords. ... Another idea which seems to be cropping in, is the use of hash ... > i find some sites which says that they can brute md5 ...
      (Full-Disclosure)
    • Re: Lost password + MD5 ?
      ... >> hash M, and being able to produce a different plaintext B that has the ... which MD5 attack are you referring to? ...
      (comp.lang.php)