Re: Moving away from MD5
Santiago Vila Doncel wrote:
>BTW: Just curiosity: I would be delighted to see two different files
>having the same md5sum. Do you have a simple example?
See http://www.ph.tn.tudelft.nl/~visser/hashes.html . Dobbertin's
paper, http://www.ph.tn.tudelft.nl/~visser/dobbertin.ps , shows
an example [ with a different IV, but it still shows that MD5 is
SHA-1 has been designed before Dobbertin's attack methods became public
knowledge. Three possibilities: it's vulnerable, it's not vulnerable
by accident, or it's not vulnerable because the authors had design
criteria they didn't publish. RIPEMD-160, OTOH, was written afterwards,
specifically to be resistant to this kind of attack (with Dobbertin one
of its authors :-)
WRT space requirements: An attacker who tries to create two files with
equal hash functions for a n-bit hash only needs around 2^(n/2) operations
if he uses a so-called birthday attack, so the 128 bit of md5 only provide
64 bits of "real" security. A 160 bit hash does sound much better (although
I'd still sleep more soundly with 256 bit, but there's no good 256 bit
hash available at the moment).
Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, firstname.lastname@example.org.
The joy of engineering is to find a straight line on a double
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
Trouble? e-mail to email@example.com .