Re: The Chinese MD5 attack

From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 08/17/05 

Date: 17 Aug 2005 15:39:28 GMT

"Alan" <a__l__a__n@hotmail.com> writes:

>Unruh wrote:
>> Yes, but they are NOT in contradiction with my statement. Given a file A
>> with a certain MD5 hash, can you find anothe file B which has the same
>> hash.

>They ARE contradictions of your original statement. You said:
>> Yes, but there is no "exploit" AFAIK
>and:
>> What they can do is to create two files (not structured files, but two
>> "random" files) with the same hash.

>I linked to two examples of meaningful, exploitable collisions. At least
>one other colliding pair has been generated: two different executable files
>with the same MD5 sum. That is certainly an exploitable scenario.

Agreed. IF the attacker can generate both files, then the attacker can
generate two files with meaningful content which have the same hash. That
is a very bad thing to have a hash do.

However, the question remains. IF I (not you, I) generate a file, can you
find a file with the same MD5 sum? That is the situation we are discussing
in this thread. A file was generated by a speed camera together with an md5
hash of that file. the court had to decide if it was possible that that
picture had been changed, even though it had the same md5 hash as the
picture originally produced by the camera.
This is not a case of an attacker making the files, or creating two
colliding files. It is a case of the attacker having to create a new file
with the same md5 hash as the original.
Are you claiming that to be possible?

>As Stefan Lucks and Magnus Daum stated on their last slide at the Eurocrypt
>2005 conference, "Don't use broken hash functions!". They know what they
>are talking about.

It depends on what you have available. It is not clear that SHA1 is better
since apparently it is designed very similarly to MD5, but I guess no
collision creation has yet been found for it.

Relevant Pages

  • Re: [Newbie] Advice needed regarding SHA0 SHA1 MD5
    ... If you have some stored passwords hashed with md5, don't panic, ... choosing a more modern hash function. ... attacker has to find a string that matches it). ... Sha1 is still what pretty much everyone still uses. ...
    (sci.crypt)
  • Re: Rand generator (MD5)
    ... My micro cannot handle anything more than 32 bits! ... YOu do not have MD5. ... It does not sound to me like your hash implimentation is very ... void byteReverse(unsigned char *buf, unsigned longs); ...
    (sci.crypt)
  • Re: Rand generator (MD5)
    ... My micro cannot handle anything more than 32 bits! ... YOu do not have MD5. ... It does not sound to me like your hash implimentation is very ... void byteReverse(unsigned char *buf, unsigned longs); ...
    (sci.crypt)
  • Re: "Collision for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD"
    ... this was the Year of Doom for cryptographic hash functions. ... These go into great detail on the SHA-0 and MD5 collisions ... Difficulty in the former is called "collision resistance", ... you probably meant to say was "I can find a *different* string whose ...
    (comp.os.linux.security)
  • Re: Possibility to cheat integrity checking?
    ... No. Weaknesses have been found. ... I won't claim that you're -wrong- for continuing to use MD5 for file ... as a secure hash function. ... >criteria's for AES is that the cipher should be easily useable as a ...
    (Focus-IDS)