Re: The Chinese MD5 attack

Crypto_at_S.M.S
Date: 08/17/05


Date: Thu, 18 Aug 2005 06:58:20 +1000

Unruh wrote:
> "Alan" <a__l__a__n@hotmail.com> writes:
>
>
>>Unruh wrote:
>>
>>>Yes, but they are NOT in contradiction with my statement. Given a file A
>>>with a certain MD5 hash, can you find anothe file B which has the same
>>>hash.
>
>
>>They ARE contradictions of your original statement. You said:
>>
>>>Yes, but there is no "exploit" AFAIK
>>
>>and:
>>
>>>What they can do is to create two files (not structured files, but two
>>>"random" files) with the same hash.
>
>
>>I linked to two examples of meaningful, exploitable collisions. At least
>>one other colliding pair has been generated: two different executable files
>>with the same MD5 sum. That is certainly an exploitable scenario.
>
>
> Agreed. IF the attacker can generate both files, then the attacker can
> generate two files with meaningful content which have the same hash. That
> is a very bad thing to have a hash do.
>
> However, the question remains. IF I (not you, I) generate a file, can you
> find a file with the same MD5 sum? That is the situation we are discussing
> in this thread. A file was generated by a speed camera together with an md5
> hash of that file. the court had to decide if it was possible that that
> picture had been changed, even though it had the same md5 hash as the
> picture originally produced by the camera.
> This is not a case of an attacker making the files, or creating two
> colliding files. It is a case of the attacker having to create a new file
> with the same md5 hash as the original.
> Are you claiming that to be possible?
>

Joseph Ashwood claimed it was possible:

   Assuming a common passphrase length of around 20 characters,
   and assuming it is English, this will have 20-30 bits of entropy,
   MD5 will be enough to uniquely identify each of these, and MD5
   can be effectively reversed under these circumstances in under 1 hour.
   This will yield the entire original passphrase, leading immediately to
   a complete compromise. So 1 hour.

                                      "Joseph Ashwood" <ashwood@msn.com>
                          <dJ5ue.882$N22.328@newssvr21.news.prodigy.com>

SO which is it? Can MD5 be "effectively reversed", or can you only
find a collision for something you already have?



Relevant Pages

  • Re: [Newbie] Advice needed regarding SHA0 SHA1 MD5
    ... If you have some stored passwords hashed with md5, don't panic, ... choosing a more modern hash function. ... attacker has to find a string that matches it). ... Sha1 is still what pretty much everyone still uses. ...
    (sci.crypt)
  • Re: Best way to encrypt password in database.
    ... Yep, that's the traditional way to do it, hash the password every logon ... If you password hashes ... The fix is to add a salt to thwart the rainbow tables and a have the ... Oh and BTW, never use MD5 for anything security related, it is broken ...
    (comp.lang.php)
  • Re: Rand generator (MD5)
    ... My micro cannot handle anything more than 32 bits! ... YOu do not have MD5. ... It does not sound to me like your hash implimentation is very ... void byteReverse(unsigned char *buf, unsigned longs); ...
    (sci.crypt)
  • Re: Rand generator (MD5)
    ... My micro cannot handle anything more than 32 bits! ... YOu do not have MD5. ... It does not sound to me like your hash implimentation is very ... void byteReverse(unsigned char *buf, unsigned longs); ...
    (sci.crypt)
  • Re: Best way to encrypt password in database.
    ... Yep, that's the traditional way to do it, hash the password every logon ... If you password hashes ... MD5 is not broken. ... Any of these one way hashes still needs a salt combined with it. ...
    (comp.lang.php)