David Pick <d.m.pickat_private> writes: > A cryptographically strong hash functioin like the one used in MD5 > is far harder to "crack". I can't really comment on just *how* much > harder A good hash function would be where the amount of work necessary to create two predictable inputs to hash to the same output is equal to or greater than pure brute force, i.e., feeding all possible inputs to the function and finding two that collide. In practice, it's better than this, because forged input that matches the hash for legitimate input needs to look like the real input. That is, it can't be gibberish. Attacks against hashing functions are basically attempts to make it feasible to find (or to create) a forged input that will match the hash of legitimate input. CRC is rightly called a checksum, rather than a hash, because of the relative ease of finding a legitimate looking input that will produce a given fingerprint. As for the strength of MD5, no practical attacks have been found against it. A few years back, Hans Dobbertin of Germany published some interesting work on MD5 in RSA's /CryptoBytes/. In the article, he concluded that although he didn't have a good successful attack against MD5, it was starting to look like MD4 (which was eventually defeated). Some have preferred to use SHA-1 over MD5 for this reason. As far as I know, no one has published any additional work on MD5 that has built on Dobbertin's work, or found any other serious attacks against it. So thorugh all of the noise, the basic difference is feasibility of creating an input that will match a given fingerprint. CRC32 is feasible, and things like MD5 (at 128 bits) and SHA-1 (at 160 bits) are not. Might be interesting to do some calculations to see just how much work it would require...but assuming conventional computers (i.e., ruling out stable quantum or DNA computers), it's certainly way longer than we, our children, or their children have to work on the problem. -- Matt Curtin, CISSP, IAM, INTP. Keywords: Lisp, Unix, Internet, INFOSEC. Founder, Interhack Corporation +1 614 545 HACK http://web.interhack.com/ Author of /Developing Trust: Online Privacy and Security/ (Apress, 2001) ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 06 2003 - 08:30:01 PST