No subject

Thomas Harold tgh at tgharold.com
Tue Aug 17 08:10:58 PDT 2004


Gecko/20040616
To: cryptography at metzdowd.com
Subject: Re: MD5 collisions?
Sender: owner-cryptography at metzdowd.com

Eric Rescorla wrote:

> Check out this ePrint paper, which claims to have collisions in
> MD5, MD4, HAVAL, and full RIPEMD.
>
> http://eprint.iacr.org/2004/199.pdf
>
> The authors claim that the MD5 attack took an hour for the first
> collision and 15 seconds to 5 minutes for subsequent attacks
> with the same first 512 bits.

I'll play the newbie and ask the question... how would this be used in a
practical attack against MD5 (or the other hashing algorithms)?

 From my limited understanding, MD5 is usually used as a hash to detect
tampering in a particular bitstream.  In which case, the attacker's goal
would be to calculate how to change bits in the bitstream without
changing the MD5 output.  (And hopefully without making the bitstream a
different size.)  Is this where collisions come into play?

Alternatively, hash functions can be used to store passwords (salt +
plain text password => hash function => password file).  But I don't see
where the attacker could use collisions for that.

[Moderator's note:

 You might want to read up on hash functions and their uses --
 "detecting tampering" in the sense you mean isn't the main use of
 hash functions these days though they are certainly employed in such
 applications. Hash functions are a primitive used in all sorts of
 places as part of MACs, as ways of enabling signature systems, as
 elements of commitment protocols etc. The use in commitment protocols
 is totally blown by the current results, btw.

 For purposes of things like x.509 certificates, as message integrity
 codes, etc., the current attacks don't provide an immediate way to
 attack the system, but they make one worried about the health of the
 algorithms -- probably sufficiently much to motivate quickly
 abandoning them for ones that are not vulnerable to these attacks.

 --Perry]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'





More information about the cypherpunks-legacy mailing list