Technocrat

MD5 tunnel - 1 min on a laptop for a collision

tqft
Tue Mar 21 18:37:38 -0800 2006
Security.
manage

From cryptome.org: tunnels.pdf; MD5_collisions.

Vlastimil Klima: Tunnels in Hash Functions: MD5 Collisions Within a Minute (extended abstract), IACR ePrint archive Report 2006/105 , 18 March, 2006, pdf: English ,Czech , the source code.

MD5 was pretty busted anyway, if this is confirmed and shown useful, then it is really broken, with the SHA-<>'s looking vulnerable.

MD5 tunnel - 1 min on a laptop for a collision
ziv
Wed Mar 22 05:04:41 -0800 2006
 manage
From a cursory examination it appears that this method generates two different pseudorandom pieces of data which have the same md5sum hash output.

They have not shown an easy way of generating an alternative set of data with the same md5sum as a chosen file or to generate a collision for a chosen m5 hash.

This means that common uses of md5 are not yet broken. For example schemes to check the authenticity of files such as verified links for filesharing programs or using a hash value from a trusted source to check that a software download has not been modified.

I don't have the advanced mathematics and crypto knowledge to speculate whether this makes a complete break of md5 likely soon. Anyone?

The tinfoil hat brigade may be intested in the acknowledgments, "I would like to thank to Czech National Security Agency for the approval to publish a part of the results of the project No. ST20052005017."

Broken enough, though

Martin Blank
Wed Mar 22 08:00:14 -0800 2006
 manage
The Australian Supreme Court has decided that MD5 is sufficiently untrustworthy that its use in validating traffic camera tickets is invalid.  The Linux community has also begun a wholesale move away from it; the latest ISOs for Fedora include only a sha1sum file, dropping the md5sum file.

This makes sense (well, the Linux part does).  MD5 is showing severe weaknesses, and it's important to be moving beyond it.  Even SHA1 has cracks, and moves should be made towards higher-strength variants.  Because the SHA variants are still based in part on SHA1, there is a growing call for an AES-style competition for a new standard hash, which would be ready in probably five years or so.

Of course there are collisions

bill_mcgonigle
Mon Mar 27 18:21:43 -0800 2006
 manage
I don't get the hype. Of course there are collisions - you're reducing every possible input to a 128-bit space. There have to be an infinite number of collisions.

What noone has shown is that there is any feasible method of creating meaningful data (e.g. another JPEG file with false information) that hashes to the same md5sum. The Australian Supreme Court frankly made a bad decision here, since noone on Earth knows how to fake an photo with a 'valid' md5sum.
Of course there are collisions
R Morgan
Sat Sep 08 22:44:34 -0700 2007
 manage
Yes, but what this really means is that I don't need to guess the correct password to get into an account storing the password as an MD5 hash. I only have to guess a password that results in the same hash and I'm in.  I think the issue with most of these algorythms is that they were developed when it would have taken a main frame days or weeks to find a colision. Now with the processing power of even today's laptop pc's, it takes much less time to find a colision. Creating an altered file that results in the same MD5 hash is a much more difficult task. So as a file check sum MD5 is still a viable method. But as an encryption method for stored authentication information, it is loosing favor...
 

Do you have questions about the site? Write to bruce at perens.com . List of all articles we've ever published. Source Code Developer's Documentation RSS XML Sitemap XML News Sitemap Valid XHTML 1.0 Strict Valid CSS! [Valid RSS]