MD5 To Be Considered Harmful Someday
Eric Rescorla
ekr at rtfm.com
Wed Dec 8 00:01:40 EST 2004
"James A. Donald" <jamesd at echeque.com> writes:
> --
> On 6 Dec 2004 at 16:14, Dan Kaminsky wrote:
>> * Many popular P2P networks (and innumerable distributed
>> content databases) use MD5 hashes as both a reliable search
>> handle and a mechanism to ensure file integrity. This makes
>> them blind to any signature embedded within MD5 collisions.
>> We can use this blindness to track MP3 audio data as it
>> propagates from a custom P2P node.
>
> This seems pretty harmful right now, no need to wait for
> someday.
>
> But even back when I implemented Crypto Kong, the orthodoxy was
> that one should use SHA1, even though it is slower than MD5, so
> it seems to me that MD5 was considered harmful back in 1997,
> though I did not know why at the time, and perhaps no one knew
> why.
Dobbertin's collision in the MD5 compression function was published
in May of 1996.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list