lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 7 Dec 2004 20:01:13 -0800
From: "David Schwartz" <davids@...master.com>
To: <gandalf@...ital.net>, "Dan Kaminsky" <dan@...para.com>,
	"BugTraq" <bugtraq@...urityfocus.com>
Subject: RE: MD5 To Be Considered Harmful Someday



> From my reading it appears that you need the original source to create the
> doppelganger blocks.  It also appears that given a MD5 hash you could not
> create a input that would give that MD5 back.  Passwords encoded with MD5
> would not fall prey to your discovery.  Is this correct?

	Correct. You will never be able to find the input given an MD5 hash. It
might be possible to, eventually, come up with an input that has the same
hash given just the hash, but you could never know if that was the original
input or not. (At least, not in general.)

> Unfortunately when "The Press" publicized the MD5 hash discovery
> by Joux and Wang it almost sounded like "The Press" was
> surprised to find collisions in the MD5 domain

	Lots of people were surprised. We all knew we were there, and we all knew
they'd be found eventually. I don't think many people suspected, however,
that they would be found quite so soon. Some of the early "mainstream"
articles missed the boat, of course.

> (intuitive to me, a limited number of outputs and
> a infinite
> number of inputs = Collisions).  I assume that a "good" hash would have a
> even distribution of collisions across the domain and that the
> larger number
> of bits for the output the better the hash (assuming no cryptographic
> algorithm errors).

	Yes. At this point, MD5 should no longer be used for applications where an
adversary might have access to the data that is being signed. That means
it's no longer suitable for signing certificates or authenticating data sent
over a peer-to-peer network. SHA1 with 160-bits is still, as far as we know,
suitable for all of these purposes.

	I generally advise not using MD5 for any applications except (P)RNGs and as
a non-cryptographically-secure checksum.

	DS

Powered by blists - more mailing lists