Re: The Chinese MD5 attack

From: Alan (
Date: 08/17/05

Date: Wed, 17 Aug 2005 16:29:08 -0400

Unruh wrote:
> A file was generated by a speed camera together with an md5
> hash of that file. the court had to decide if it was possible that that
> picture had been changed, even though it had the same md5 hash as the
> picture originally produced by the camera.
> This is not a case of an attacker making the files, or creating two
> colliding files. It is a case of the attacker having to create a new file
> with the same md5 hash as the original.
> Are you claiming that to be possible?

Not with the published techniques. Lacking control of the original
document, the effort required is approximately the square of the effort
where you control both documents, putting it out of reach for least
if I understand the attack correctly.

Not knowing more about the implementation, it is hard to say for sure that a
collision attack could not be used, but it seems unlikely. For that matter
there may be many other avenues of attack which have nothing to do with MD5

Still it is hard to think of a justification for using MD5 in any
cryptographic application at this point. There are (hopefully!!) better
choices available. Attacks always get better, never worse.