The Pointlessness of the MD5 "attacks"

Ben Laurie ben at algroup.co.uk
Wed Jan 5 06:23:52 EST 2005 

C. Scott Ananian wrote:
> On Wed, 22 Dec 2004, Ben Laurie wrote:
> 
>> Blimey. Finally. An attack I can actually believe in. Excellent.
>> D131DD02C5E6EEC4693D9A0698AFF95C2FCAB58712467EAB4004583EB8FB7F8955AD340609F4B30283E488832571415A085125E8F7CDC99FD91DBDF280373C5BD8823E3156348F5BAE6DACD436C919C6DD53E2B487DA03FD02396306D248CDA0E99F33420F577EE8CE54B67080A80D1EC69821BCB6A8839396F9652B6FF72A700000000000000000000000000000001B 
>> is prime
>> D131DD02C5E6EEC4693D9A0698AFF95C2FCAB50712467EAB4004583EB8FB7F8955AD340609F4B30283E4888325F1415A085125E8F7CDC99FD91DBD7280373C5BD8823E3156348F5BAE6DACD436C919C6DD53E23487DA03FD02396306D248CDA0E99F33420F577EE8CE54B67080280D1EC69821BCB6A8839396F965AB6FF72A700000000000000000000000000000001B 
>> is not prime
>> both have MD5 b4b12dc7ec1b9422f6596d2a863d7900.
> 
> 
> It's worth noting that the *currently known* MD5 collisions are very 
> limited in number and form.  Anyone who did not screen their binaries 
> for these would be a fool.

It was my understanding that they are very easy to generate. Are you 
scanning your binaries? Do you have a complete list?

> When more details emerge about the collision-generation technique, we'll 
> be able to see if the MD5 collisions remain "weak keys" which we can 
> efficiently check a binary for, or become general enough that it's 
> impossible to rule out a collision in our binary material.
> 
> But since Ben began this discussion by concentrating only on 
> *currently-known* weaknesses in MD5, I would have to argue that this 
> particular weakness, although possible to "actually believe in", is 
> pretty trivial to avoid.  In fact, I'd argue strongly that any "security 
> review" that neglected to notice a known MD5 collision in the key primes 
> (in addition to checking that they are really prime, etc) would be 
> incompetent.

Given that we know (for some value of "know") that these collisions can 
be generated with trivial amounts of work, but do not know how to detect 
them (yet), I wouldn't agree with this.

What would be incompetent would be to rely on an MD5 hash.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list