Date: Fri, 7 Jun 1996 19:55:12 -0700 (PDT) From: Steve Reid <root@edmweb.com> To: Poul-Henning Kamp <phk@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: MD5 broken (not quite) Message-ID: <Pine.BSF.3.91.960607185621.444A-100000@bitbucket.edmweb.com> In-Reply-To: <1261.834197036@critter.tfs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Okay, so I've made a fool of myself. MD5 is not broken yet. > >Sorry if I'm digging up a dead topic, but is everyone here aware that > >MD5 has been broken? > >About a month ago, Hans Dobbertin showed that he could generate MD5 > >collisions in just 10 hours on a Pentium PC. > > Lets not get unduly worried here. > He has not generated "MD5 collissions". > He has generated "MD5 >pseudo< collisions". > He is using a different initial buffer than the one used in MD5, and > argues that he then has exposed a weakness in MD5. I admit I'm not a crypto expert (Yes, I should have said that in the first place)... In this paper he specifically uses the term collision, and differentiates between collisions and pseudo-collisions. I see what you're saying, though... Looking more closely at the paper, the initial value he used was 12AC2375 3B341042 5F62B97C 4BA763ED, which is not what the MD5 algorithm normally uses for an IV. So you're right, this won't affect anything yet. This still seems to be a very large step forward, though... Probably about as close to broken as it can be without actually being broken. It would probably be a good idea to switch to something else _now_ rather than waiting for real MD5 to be broken. > Until somebody comes up with a way of solving A = MD5(X) for some given > value of A then you don't need to worry to much. That would definately be the end of MD5, but AFAIK (I'm not a crypto expert) reversing a hash is harder than finding real-world collisions where MD5(X) = MD5(Y), which would also be the end of MD5 in many (but not all) applications. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve@edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. -- | ===================================================================:)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960607185621.444A-100000>