The Pointlessness of the MD5 "attacks"
Ben Laurie
ben at algroup.co.uk
Wed Jan 5 06:23:52 EST 2005
C. Scott Ananian wrote:
> On Wed, 22 Dec 2004, Ben Laurie wrote:
>
>> Blimey. Finally. An attack I can actually believe in. Excellent.
>> D131DD02C5E6EEC4693D9A0698AFF95C2FCAB58712467EAB4004583EB8FB7F8955AD340609F4B30283E488832571415A085125E8F7CDC99FD91DBDF280373C5BD8823E3156348F5BAE6DACD436C919C6DD53E2B487DA03FD02396306D248CDA0E99F33420F577EE8CE54B67080A80D1EC69821BCB6A8839396F9652B6FF72A700000000000000000000000000000001B
>> is prime
>> D131DD02C5E6EEC4693D9A0698AFF95C2FCAB50712467EAB4004583EB8FB7F8955AD340609F4B30283E4888325F1415A085125E8F7CDC99FD91DBD7280373C5BD8823E3156348F5BAE6DACD436C919C6DD53E23487DA03FD02396306D248CDA0E99F33420F577EE8CE54B67080280D1EC69821BCB6A8839396F965AB6FF72A700000000000000000000000000000001B
>> is not prime
>> both have MD5 b4b12dc7ec1b9422f6596d2a863d7900.
>
>
> It's worth noting that the *currently known* MD5 collisions are very
> limited in number and form. Anyone who did not screen their binaries
> for these would be a fool.
It was my understanding that they are very easy to generate. Are you
scanning your binaries? Do you have a complete list?
> When more details emerge about the collision-generation technique, we'll
> be able to see if the MD5 collisions remain "weak keys" which we can
> efficiently check a binary for, or become general enough that it's
> impossible to rule out a collision in our binary material.
>
> But since Ben began this discussion by concentrating only on
> *currently-known* weaknesses in MD5, I would have to argue that this
> particular weakness, although possible to "actually believe in", is
> pretty trivial to avoid. In fact, I'd argue strongly that any "security
> review" that neglected to notice a known MD5 collision in the key primes
> (in addition to checking that they are really prime, etc) would be
> incompetent.
Given that we know (for some value of "know") that these collisions can
be generated with trivial amounts of work, but do not know how to detect
them (yet), I wouldn't agree with this.
What would be incompetent would be to rely on an MD5 hash.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list