Re: The Chinese MD5 attack

Crypto_at_S.M.S
Date: 08/17/05


Date: Thu, 18 Aug 2005 06:58:20 +1000

Unruh wrote:
> "Alan" <a__l__a__n@hotmail.com> writes:
>
>
>>Unruh wrote:
>>
>>>Yes, but they are NOT in contradiction with my statement. Given a file A
>>>with a certain MD5 hash, can you find anothe file B which has the same
>>>hash.
>
>
>>They ARE contradictions of your original statement. You said:
>>
>>>Yes, but there is no "exploit" AFAIK
>>
>>and:
>>
>>>What they can do is to create two files (not structured files, but two
>>>"random" files) with the same hash.
>
>
>>I linked to two examples of meaningful, exploitable collisions. At least
>>one other colliding pair has been generated: two different executable files
>>with the same MD5 sum. That is certainly an exploitable scenario.
>
>
> Agreed. IF the attacker can generate both files, then the attacker can
> generate two files with meaningful content which have the same hash. That
> is a very bad thing to have a hash do.
>
> However, the question remains. IF I (not you, I) generate a file, can you
> find a file with the same MD5 sum? That is the situation we are discussing
> in this thread. A file was generated by a speed camera together with an md5
> hash of that file. the court had to decide if it was possible that that
> picture had been changed, even though it had the same md5 hash as the
> picture originally produced by the camera.
> This is not a case of an attacker making the files, or creating two
> colliding files. It is a case of the attacker having to create a new file
> with the same md5 hash as the original.
> Are you claiming that to be possible?
>

Joseph Ashwood claimed it was possible:

   Assuming a common passphrase length of around 20 characters,
   and assuming it is English, this will have 20-30 bits of entropy,
   MD5 will be enough to uniquely identify each of these, and MD5
   can be effectively reversed under these circumstances in under 1 hour.
   This will yield the entire original passphrase, leading immediately to
   a complete compromise. So 1 hour.

                                      "Joseph Ashwood" <ashwood@msn.com>
                          <dJ5ue.882$N22.328@newssvr21.news.prodigy.com>

SO which is it? Can MD5 be "effectively reversed", or can you only
find a collision for something you already have?