At 06:11 PM 10/5/95 +1000, you wrote:
One thing that occurs to me: suppose I go to control, collect cancel messages, and build myself a collection of M1's that will work with a given M2?
MD5 produces a very random 128-bit output; you're not going to collect any appreciable fraction of the 2**128 possible M2s. As long as M1 is even as simple as MD5(messageid,passphrase), it's pretty open territory. Targeted attacks, however, are still possible, as long as M1 retains the form MD5(known-stuff, passphrase) - assuming the user uses one of the few hundred million wimpiest passphrases, you can search that moderately fast; if you're willing to burn some resources, you might be able to take out most of alt.religion.spam, at least until people use better passphrases. The amount of work depends somewhat on whether you use MD5(known-stuff, passphrase) or MD5(passphrase,known-stuff). For the first case, the cracker would calculate the MD5 context after doing known-stuff (once) and then grind away on passphrases. For the second, the cracker could pre-compute a table of MD5 context for the wimpy password list, and then add known-stuff to each. Since known-stuff is probably longer than passphrases here, the latter is probably more secure for this application. #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #---