The last eight messages I see on cypherpunks (sorted by date, threaded) are forwards of messages from Perry's crypto list. Perry's list is archived publicly on the web if anyone subscribing to cypherpunks but not his list is interested in the discussion -- so let me humbly suggest that might be possible not to forward each message. One is enough. Less is more. Let's eliminate redundancy, thus eliminating redundancy. -Declan "TCM" McCullagh On Tue, Aug 17, 2004 at 03:09:58PM -0400, R. A. Hettinga wrote:
--- begin forwarded text
Delivered-To: cryptography@metzdowd.com Date: Tue, 17 Aug 2004 11:10:58 -0400 From: Thomas Harold <tgh@tgharold.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 To: cryptography@metzdowd.com Subject: Re: MD5 collisions? Sender: owner-cryptography@metzdowd.com
Eric Rescorla wrote:
Check out this ePrint paper, which claims to have collisions in MD5, MD4, HAVAL, and full RIPEMD.
http://eprint.iacr.org/2004/199.pdf
The authors claim that the MD5 attack took an hour for the first collision and 15 seconds to 5 minutes for subsequent attacks with the same first 512 bits.
I'll play the newbie and ask the question... how would this be used in a practical attack against MD5 (or the other hashing algorithms)?
From my limited understanding, MD5 is usually used as a hash to detect tampering in a particular bitstream. In which case, the attacker's goal would be to calculate how to change bits in the bitstream without changing the MD5 output. (And hopefully without making the bitstream a different size.) Is this where collisions come into play?
Alternatively, hash functions can be used to store passwords (salt + plain text password => hash function => password file). But I don't see where the attacker could use collisions for that.
[Moderator's note:
You might want to read up on hash functions and their uses -- "detecting tampering" in the sense you mean isn't the main use of hash functions these days though they are certainly employed in such applications. Hash functions are a primitive used in all sorts of places as part of MACs, as ways of enabling signature systems, as elements of commitment protocols etc. The use in commitment protocols is totally blown by the current results, btw.
For purposes of things like x.509 certificates, as message integrity codes, etc., the current attacks don't provide an immediate way to attack the system, but they make one worried about the health of the algorithms -- probably sufficiently much to motivate quickly abandoning them for ones that are not vulnerable to these attacks.
--Perry] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
--- end forwarded text
-- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'