Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

More MD5 Attacks Devised

Posted by Hemos on Fri Mar 11, 2005 09:39 AM
from the need-to-make-secure dept.
Encryption Programming Security IT Technology
rbarreira writes "Bruce Schneier's blog is reporting on a new paper by Vlastimil Klýma, which summarizes a new method for finding collisions on the MD5 hash algorithm. Furthermore, the first pair of colliding X.509 Certificates has been published by a different team."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

More MD5 Attacks Devised 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Misspelled surname. (Score:3, Informative)

    by Yenya (12004) on Friday March 11 2005, @10:17AM (#11910172) Homepage Journal
    Actually the author's surname is Klíma, not Klýma (Klima in ASCII).

  • But I use MD5... (Score:4, Insightful)

    by Anonymous Coward on Friday March 11 2005, @10:26AM (#11910293)
    ...for copy protection of my copyrighted works. This man is doing illegal and immoral things under the DMCA, and should be stopped at once. I am willing to testify in court.

  • I told you so (Score:5, Interesting)

    by Omnifarious (11933) on Friday March 11 2005, @11:55AM (#11911311) Homepage Journal

    I was moderated down heavily for stating that MD5 was broken for any and all purposes before. Now I think I feel at least somewhat vindicated.

    There are two problems here... Yes, the break in MD5 (and SHA-1) involved two chosen pre-images, and it was still not computationally easy. But there are two problems with hiding behind those justifications.

    The first is that once an analytical wedge has been driven into a crack in the algorithm, it often doesn't take long for that wedge to be wiggled back and forth to make the crack even wider. This demonstrates that the attack is computationally feasible enough for anybody to generate two keys that have matching MD5 signatures. I don't think anybody would've agreed that this would happen this quickly a few months ago.

    Secondly, deciding when a certain kind of attack is relevant in a particular situation is not trivial. So, if you can generate two different keys that appear identical, what kinds of interesting attacks can you perform? What assumptions to browsers and other software make about keys that are now broken? Can those assumptions be exploited? This shouldn't make phishing any easier, but what if a phisher manages to be the person who generated the bank's key in the first place?

    Having an algorithm that is weaker in some significant way than what everybody expects makes everything very tricky. MD5 (and SHA1) are no longer secure hash algorithms, and should not be treated as such for any purpose at all, regardless of whether or not you think you have the gigantic cranium that can think through all the implications of a particular weakness. You are most likely wrong.

    • Re:I told you so (Score:5, Insightful)

      by pla (258480) on Friday March 11 2005, @02:14PM (#11913087) Journal
      MD5 was broken for any and all purposes before

      For long-term cryptographic purposes where no other form of authentication exists, yes.

      As a general hashing algorithm, it works just fine.

      As a short-lived authentication (probably still good for a period of several days, but for a few minutes, such as a secure website transaction, it still works perfectly well) - No need to rush out and change a few thousand storefronts just because, with luck, massive CPU power, and a week or two of CPU time, a determined cracker can fake a message. And note that I refer to signing the transaction itself, not to certs guaranteeing a site as authentic.

      As an adjunct to another semi-private means of authentication (such as a password), no problem.

      For checking the integrity of a file transfer - In-transit changes such as a man-in-the-middle attack, no problem. Checking an executable against the known-good hash when you have reason to suspect someone might want to change it, probably not so safe.


      Now, that said, if a coder sat down today to implement a secure cryptographic hash in a new project, should they use something better, like SHA-512? Sure! But should everyone scramble to purge all references to MD5 from their existing codebases? For 99% of code out there, I'd say no.

    • Wait for the dust to settle (Score:5, Insightful)

      by Paul Crowley (837) on Friday March 11 2005, @04:10PM (#11914271) Homepage Journal
      If you can't wait for the dust to settle, use SHA-256.

      But if you can, you're best off waiting a few years. This and other recent results will spark a period of frenetic research into new ways of building fast hash functions that don't have these vulnerabilities. I'm sure some great stuff will come out of it. A front-runner may not really emerge for a good few years.

      I'm in some ways even more struck by Kelsey and Schneier's recent second-preimage finding attack, which works against pretty much all modern hash functions, and suggests that the fundamental Merkle-Damgard paradigm by which we build them needs to be revisited. Our hash functions may end up looking more like Panama than like MD4.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.