Re: MD5 Collisions...

Colin Percival wrote:
Norberto Meijome wrote:
should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? :

" MD5 has not yet (2001-09-03) been broken, but sufficient attacks have
been made that its security is in some doubt. The attacks on MD5 are in
the nature of finding ``collisions'' -- that is, multiple inputs which
hash to the same value; it is still unlikely for an attacker to be able
to determine the exact original input given a hash value.
"

I fail to see how the man page is incorrect here. What do you think it should
be saying instead?

Perhaps, 1st two paras:


==============
Md5 is a cryptographic message digest algorithm. It takes as input a message of arbitrary length and produces as output a 128-bit ``fingerprint'' or ``digest'' of the input. Such algorithms are intended for applications where a large file must be ``compressed'' in a secure manner, suitable as a digital signature or as an input to a public-key cryptosystem for digital signature or encryption purposes.

MD5 is no longer recommended as a cryptographic message digest algorithm, although it functions very well as a big checksum. It is now feasible (2004) to produce two messages having the same MD5 message digest (``collision'' attack), and attacks of this nature are getting better and faster. It is still conjectured to be computationally infeasible (2007) to produce any message having a given prespecified target message digest (``preimage'' attack).
==============



It's worth checking carefully ... discussing the minutiae of cryptographic algorithms is like angels dancing on a pin.

iang
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: MD5 for passwords
    ... how do attacks vary with the length of hashed string ... The password hash is NOT MD5, just as the old Unix crypt 3 is not des. ... MD5 password hashing system out there? ...
    (sci.crypt)
  • Re: MD5 Collisions...
    ... Md5 is a cryptographic message digest algorithm. ...
    (FreeBSD-Security)
  • Re: SHA-1 vs. triple-DES for password encryption?
    ... > reason I suggested MD5 is that Craig wanted to save bytes. ... truncated SHA1 hash than an MD5 hash. ... > algorithms were discarded after diff. ... but the best known attacks against a bunch of the AES ...
    (SecProg)
  • Re: Generating unique row ID ints.
    ... The primary key is usually there to uniquely identify each row. ... problem is to use a message digest (actually a message authentication ... import the md5 module before doing this. ... algorithm, the user can also run the same algorithm and generate the ...
    (comp.lang.python)
  • MD5 To Be Considered Harmful Someday
    ... I've been doing some analysis on MD5 collision announced by Wang et al. ... Yes, Virginia, there is no such thing as a safe hash ... attacks described in the paper. ... payload, but the payload is encrypted with AES. ...
    (sci.crypt)