[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Moving away from MD5



Santiago Vila Doncel wrote:

>BTW: Just curiosity: I would be delighted to see two different files
>having the same md5sum. Do you have a simple example?

See http://www.ph.tn.tudelft.nl/~visser/hashes.html .  Dobbertin's
paper, http://www.ph.tn.tudelft.nl/~visser/dobbertin.ps , shows
an example [ with a different IV, but it still shows that MD5 is
quite vulnerable].

SHA-1 has been designed before Dobbertin's attack methods became public
knowledge.  Three possibilities:  it's vulnerable, it's not vulnerable
by accident, or it's not vulnerable because the authors had design
criteria they didn't publish.  RIPEMD-160, OTOH, was written afterwards,
specifically to be resistant to this kind of attack (with Dobbertin one
of its authors :-)

WRT space requirements:  An attacker who tries to create two files with
equal hash functions for a n-bit hash only needs around 2^(n/2) operations
if he uses a so-called birthday attack, so the 128 bit of md5 only provide
64 bits of "real" security.  A 160 bit hash does sound much better (although
I'd still sleep more soundly with 256 bit, but there's no good 256 bit
hash available at the moment).
-- 
Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet.
The joy of engineering is to find a straight line on a double
logarithmic diagram.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .


Reply to: