MD5 To Be Considered Harmful Someday

Eric Rescorla ekr at rtfm.com
Wed Dec 8 00:01:40 EST 2004


"James A. Donald" <jamesd at echeque.com> writes:

>     --
> On 6 Dec 2004 at 16:14, Dan Kaminsky wrote:
>> * Many popular P2P networks (and innumerable distributed 
>> content databases) use MD5 hashes as both a reliable search 
>> handle and a mechanism to ensure file integrity.  This makes 
>> them blind to any signature embedded within MD5 collisions. 
>> We can use this blindness to track MP3 audio data as it 
>> propagates from a custom P2P node.
>
> This seems pretty harmful right now, no need to wait for 
> someday.
>
> But even back when I implemented Crypto Kong, the orthodoxy was 
> that one should use SHA1, even though it is slower than MD5, so 
> it seems to me that MD5 was considered harmful back in 1997, 
> though I did not know why at the time, and perhaps no one knew 
> why.
Dobbertin's collision in the MD5 compression function was published
in May of 1996.

-Ekr

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list