[sclug] MD5 is compromised
Roland Turner SCLUG
raz.fpyht.bet.hx at raz.cx
Thu Aug 19 08:14:48 UTC 2004
Will Dickson wrote:
> A group of Chinese cryptologists yesterday (17th) published
> an attack which basically defeats the MD5 "checksum" (ie.
...
> If you use MD5 for anything security-related you need to
> stop doing so. Replace with SHA-1.
Before anybody panics, the break is that two different plaintexts have
been found which, when put through an algorithm similar[1] to MD5 generate
the same hash. A rather large amount of CPU time (measured in years rather
than trillions of years, which is the real breakthrough here) was required
to do this. Frequently when a hash clash (two different inputs -> same
output) is found, it is relatively trivial to find "similar" clashes very
cheaply (the basis of hash-cash in fact); there is no indication at
present that this is the case here. Further, there is no indication at
present that a means has been discovered to generate an alternate
plaintext (e.g. trojaned download) that has the same hash as an existing
legitimate plaintext.
Historically, steps like this have been a first step towards finally
rendering an algorithm cryptographically futile, but this doesn't always
occur and, even if it does, it's likely to take some considerable time.
That said, relying on MD5 alone for signing has been viewed as unsafe for
years; use at least SHA1 or SHA1 and MD5 together.
- Raz
1: The difference appears to have been accidental; for some reason the
endianness in the initialisation vector (list of 32 bit numbers used to
seed the algorithm) was inverted, meaning that the hash algorithm for
which a clash was discovered is very similar to, but not the same as, MD5.
More information about the Sclug
mailing list