Berson attempted a differential cryptanalysis against a single round (MD5 has 4 rounds), but this attack is ineffective on all four rounds. Bosselaers and den Boer produced an attack that does produce collisions using the compression function. This doesn't lend itself to attacks of MD5, it does demonstrate that the design principle of producing a collision resistant compression function was violated. -----Original Message----- From: Valdis.Kletnieksat_private [mailto:Valdis.Kletnieksat_private] Sent: Tuesday, October 15, 2002 8:46 AM To: Tony Cc: vuln-devat_private Subject: Re: Hashes,File protection,etc On Mon, 14 Oct 2002 17:04:37 EDT, Tony said: > Does anyone have a reference/link to any well known md5 vulnerabilities. > I remeber reading something about them awhile back but couldn't google > up anything. Also , are there any arguements *against* using md5? Should > persons be using sha1 instead ? As far as I know, nobody has managed to produce an actual MD5 hash collision. Unless there's a *really major* break, which would be Big News, the resources needed to exploit md5 itself are *waaay* past any that any attacker might have access to. The *BIG* vulnerability is the same as it's always been - if the attacker can replace the foobar.tar.gz file with a trojaned copy, they can replace the plaintext file that has the checksums in it too. A bigger worry is that people won't even bother checking - a little birdie told me that the recent Sendmail trojan was out there for a week mostly because *nobody bothered checking the md5sum*. Bottom line - given current state-of-the-art, even *IF* there exists somebody who can actually exploit MD5 itself, it would be much easier for them to arrange things so you were comparing the trojaned file against a trojaned checksum.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 12:54:43 PDT