MD5 To Be Considered Harmful Someday 401
Effugas writes "I've completed an applied security analysis (pdf) of MD5 given Xiaoyun Wang et al's collision attack (covered here and here). From an applied perspective, the attack itself is pretty limited -- essentially, we can create 'doppelganger' blocks (my term) anywhere inside a file that may be swapped out, one for another, without altering the final MD5 hash. This lets us create any number of binary-inequal files with the same md5sum. But MD5 uses an appendable cascade construction -- in other words, if you happen to find yourself with two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash. Wang released the two files needed (but not the collision finder itself). A tool, Stripwire, demonstrates the use of colliding datasets to create two executable packages with wildly different behavior but the same MD5 hash. The faults discovered are problematic but not yet fatal; developers (particularly of P2P software) who claim they'd like advance notice that their systems will fail should take note."
Two files with the same md5 hash? (Score:5, Funny)
MP5 harmful? No way! (Score:5, Funny)
In english (Score:4, Funny)
Good analysis (Score:5, Funny)
I am glad somebody does.
Re:In english (Score:1, Funny)
A computer thingy has an owie.
This is almost appropriate... (Score:4, Funny)
And your double-clicking icon puts your window in the trash,
And your data is corrupted 'cause the index doesn't hash,
Then your situation's hopeless and your system's gonna crash!
If I Had A Million Terabytes... (Score:5, Funny)
Two files with the same MD5 hash at once. Aaw yeah.
I studied different hashes.. (Score:1, Funny)
Re:Good analysis (Score:4, Funny)
Homer: Say it in English, Doc.
Hibbert: You're going to need open heart surgery.
Homer: Spare me your medical mumbo jumbo.
Hibbert: We're going to cut you open and tinker with your ticker.
Homer: Could you dumb it down a shade?
http://www.tvtome.com/tvtome/servlet/GuidePageSer
Re:If I Had A Million Terabytes... (Score:2, Funny)
Re:You are missing the point. (Score:3, Funny)
You can just ask Verisign for a certificate in the name of Microsoft, and they'll give you one. Much simpler.
It's happened in the past. [microsoft.com]
Re:Two files with the same md5 hash? (Score:3, Funny)
drice@pinky:/tmp$ echo "Hello World" > file2
drice@pinky:/tmp$ md5sum file1
e59ff97941044f85df5297e1c302d260 file1
drice@pinky:/tmp$ md5sum file2
e59ff97941044f85df5297e1c302d260 file2
Cheap, I know...
MD6 (Score:3, Funny)