On Tue, 15 Oct 2002 18:33:56 BST, Roland Postle <mailat_private> said: > Hmm, you took the quote and made it look like I said it. I agree with > what you say but I'll attempt to defend the original author anyway, for > the hell of it. I was replying to the message that included headers: Message-id: <E181SrY-00007X-00.2002-10-15-15-40-01at_private> From: Roland Postle <mailat_private> Date: Tue, 15 Oct 2002 15:39:50 Looking at the original, it wasn't clear what you wrote and what you were citing from a URL from wiretapped.net either. Sorry about that... > c) 17K texts is just one application of MD5. To assume 17K texts, and > then say "MD5 is secure enough" is misleading. Password hashing springs > to mind. And if you want a random collision I'd guess you shouldn't > have to hash more than around 16 bytes (128 bits) of plaintext / trial, > since this is the keylength. True enough. So you get to knock 3 zeros off. :) Do you know anybody who's willing to spend 58,000 CPU years to find 2 16-byte quantities that happen to have the same hash? ;) (OK, the guys at distributed.net might.. ;) > All of which means, with a big enough budget, you might be able to And my point was simply that if your adversary has THAT size budget, the fact that they can find an MD5 collision is the *LEAST* of your problems. Your entire computer *is* Temptest-hardened, right? ;) (For the non-crypto-geeks out there - the FBI's investigation of an alledged mobster by the name of Scarfo got stalled when they found that he used PGP to encrypt all the incriminating stuff. Rather than break the crypto, or use any of the holes in PGP that may or may not have been known at the time, they got a court order for a black-bag job to install a keyboard recorder to grab his passphrase. Moral: Even if the expert cryptographers call an algorithm "weak", the *real* vulnerabilities are going to be elsewhere....) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 11:19:48 PDT