Re: The Chinese MD5 attack

From: Alan (
Date: 08/17/05

Date: Wed, 17 Aug 2005 16:29:08 -0400

Unruh wrote:
> A file was generated by a speed camera together with an md5
> hash of that file. the court had to decide if it was possible that that
> picture had been changed, even though it had the same md5 hash as the
> picture originally produced by the camera.
> This is not a case of an attacker making the files, or creating two
> colliding files. It is a case of the attacker having to create a new file
> with the same md5 hash as the original.
> Are you claiming that to be possible?

Not with the published techniques. Lacking control of the original
document, the effort required is approximately the square of the effort
where you control both documents, putting it out of reach for least
if I understand the attack correctly.

Not knowing more about the implementation, it is hard to say for sure that a
collision attack could not be used, but it seems unlikely. For that matter
there may be many other avenues of attack which have nothing to do with MD5

Still it is hard to think of a justification for using MD5 in any
cryptographic application at this point. There are (hopefully!!) better
choices available. Attacks always get better, never worse.


Relevant Pages

  • Re: Hashing of short fixed length messages
    ... You actually have 55 bytes of useful payload before MD5 requires a 2nd ... to present a traditional hash interface since the ... The input itself is a hash too, so I can ignore related key attack, ... to a speed-up factor of two, but I don't think it's secure. ...
  • Re: The answers: Lost password + MD5 ?
    ... than the brute-force attack of 2**80 operations based on the hash length. ... This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, ... We wondered if storing passwords hashed as MD5 was safe. ... > (That is called a collision, ...
  • RE: SHA-1 vs. triple-DES for password encryption?
    ... generate a hash, the faster a brute force attack is. ... For a demonstration MD5 brute force password cracker check out ...
  • Re: Lost password + MD5 ?
    ... >> hash M, and being able to produce a different plaintext B that has the ... which MD5 attack are you referring to? ...
  • Re: RSA signing security
    ... and I'll be looking for collisions between ... exploit the flaws in MD5 to work towards believable plaintexts. ... my suspicion is that this attack would allow my ... a given hash, or the same hash as a given message (or one of a number ...