From owner-freebsd-security  Fri Jun  7 19:55:28 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id TAA24721
          for security-outgoing; Fri, 7 Jun 1996 19:55:28 -0700 (PDT)
Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id TAA24712;
          Fri, 7 Jun 1996 19:55:20 -0700 (PDT)
Received: (from root@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) id TAA00574; Fri, 7 Jun 1996 19:55:17 -0700
Date: Fri, 7 Jun 1996 19:55:12 -0700 (PDT)
From: Steve Reid <root@edmweb.com>
To: Poul-Henning Kamp <phk@freebsd.org>
cc: freebsd-security@freebsd.org
Subject: Re: MD5 broken (not quite)
In-Reply-To: <1261.834197036@critter.tfs.com>
Message-ID: <Pine.BSF.3.91.960607185621.444A-100000@bitbucket.edmweb.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Okay, so I've made a fool of myself. MD5 is not broken yet.

> >Sorry if I'm digging up a dead topic, but is everyone here aware that
> >MD5 has been broken?
> >About a month ago, Hans Dobbertin showed that he could generate MD5
> >collisions in just 10 hours on a Pentium PC.
> 
> Lets not get unduly worried here.
> He has not generated "MD5 collissions".
> He has generated "MD5 >pseudo< collisions".
> He is using a different initial buffer than the one used in MD5, and
> argues that he then has exposed a weakness in MD5.

I admit I'm not a crypto expert (Yes, I should have said that in the first
place)... In this paper he specifically uses the term collision, and
differentiates between collisions and pseudo-collisions. 

I see what you're saying, though... Looking more closely at the paper, the
initial value he used was 12AC2375 3B341042 5F62B97C 4BA763ED, which is
not what the MD5 algorithm normally uses for an IV. So you're right, this
won't affect anything yet. This still seems to be a very large step
forward, though... Probably about as close to broken as it can be without
actually being broken. 

It would probably be a good idea to switch to something else _now_ rather
than waiting for real MD5 to be broken. 

> Until somebody comes up with a way of solving A = MD5(X) for some given
> value of A then you don't need to worry to much. 

That would definately be the end of MD5, but AFAIK (I'm not a crypto
expert) reversing a hash is harder than finding real-world collisions
where MD5(X) = MD5(Y), which would also be the end of MD5 in many (but not
all) applications. 


=====================================================================
| Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/)    |
| Email: steve@edmweb.com   Home Page: http://www.edmweb.com/steve/ |
| PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 |
|          -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. --          |
===================================================================:)