MD5 collisions?

[Thomas Harold]

Eric Rescorla wrote:

> Check out this ePrint paper, which claims to have collisions in
> MD5, MD4, HAVAL, and full RIPEMD.
> 
> http://eprint.iacr.org/2004/199.pdf
> 
> The authors claim that the MD5 attack took an hour for the first
> collision and 15 seconds to 5 minutes for subsequent attacks
> with the same first 512 bits. 

I'll play the newbie and ask the question... how would this be used in a 
practical attack against MD5 (or the other hashing algorithms)?

 From my limited understanding, MD5 is usually used as a hash to detect 
tampering in a particular bitstream.  In which case, the attacker's goal 
would be to calculate how to change bits in the bitstream without 
changing the MD5 output.  (And hopefully without making the bitstream a 
different size.)  Is this where collisions come into play?

Alternatively, hash functions can be used to store passwords (salt + 
plain text password => hash function => password file).  But I don't see 
where the attacker could use collisions for that.

[Moderator's note:

 You might want to read up on hash functions and their uses --
 "detecting tampering" in the sense you mean isn't the main use of
 hash functions these days though they are certainly employed in such
 applications. Hash functions are a primitive used in all sorts of
 places as part of MACs, as ways of enabling signature systems, as
 elements of commitment protocols etc. The use in commitment protocols
 is totally blown by the current results, btw.

 For purposes of things like x.509 certificates, as message integrity
 codes, etc., the current attacks don't provide an immediate way to
 attack the system, but they make one worried about the health of the
 algorithms -- probably sufficiently much to motivate quickly
 abandoning them for ones that are not vulnerable to these attacks.

 --Perry]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com