>Does anyone have a reference/link to any well known md5 vulnerabilities. >I remeber reading something about them awhile back but couldn't google >up anything. Also , are there any arguements *against* using md5? Should >persons be using sha1 instead ? Personally I'd be interested in not so well known md5 vulns too :D From http://www.mirrors.wiretapped.net/security/cryptography/hashes/papers/md 5-vs-sha.txt : ">-cryptanalysis ( is it safe) There is a known way of finding "pseudo collisions" for MD5. Another term for this is that there's a free-start collision attack against the compression funtion on MD5. This doesn't seem to translate into an attack on MD5 as it's actually used. There appears to be some kind of problem with SHA, as well. The NSA / NIST are working on a redesign. Nobody seems to be talking about what the problem is, though. >-brute force attacks (to make the same hash of a different message) MD5 has an output of 128 bits, which I think is too small for good security. A collision can be found by brute force in 2**64 operations. ... If both algorithms are flawless, SHA will require 2**80 ops to generate a hash collision, and MD5 will require 2**64" The psuedocollision's paper is here http://www.esat.kuleuven.ac.be/~cosicart/ps/AB-9300.ps.gz then Hans Dobbertin extended the attack to proper collisions in md5's compression function http://www-cse.ucsd.edu/users/bsy/dobbertin.ps He also wrote the summary 'The Status of MD5 After a Recent Attack' ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf If I understand correctly this means that md5 is 'one step away' from being cracked wide open. I'd use SHA if I were you ;) - Blazde
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 08:53:42 PDT