mailing list archives
RE: MD5 To Be Considered Harmful Someday
From: "David Schwartz" <davids () webmaster com>
Date: Tue, 7 Dec 2004 20:01:13 -0800
From my reading it appears that you need the original source to create the
doppelganger blocks. It also appears that given a MD5 hash you could not
create a input that would give that MD5 back. Passwords encoded with MD5
would not fall prey to your discovery. Is this correct?
Correct. You will never be able to find the input given an MD5 hash. It
might be possible to, eventually, come up with an input that has the same
hash given just the hash, but you could never know if that was the original
input or not. (At least, not in general.)
Unfortunately when "The Press" publicized the MD5 hash discovery
by Joux and Wang it almost sounded like "The Press" was
surprised to find collisions in the MD5 domain
Lots of people were surprised. We all knew we were there, and we all knew
they'd be found eventually. I don't think many people suspected, however,
that they would be found quite so soon. Some of the early "mainstream"
articles missed the boat, of course.
(intuitive to me, a limited number of outputs and
number of inputs = Collisions). I assume that a "good" hash would have a
even distribution of collisions across the domain and that the
of bits for the output the better the hash (assuming no cryptographic
Yes. At this point, MD5 should no longer be used for applications where an
adversary might have access to the data that is being signed. That means
it's no longer suitable for signing certificates or authenticating data sent
over a peer-to-peer network. SHA1 with 160-bits is still, as far as we know,
suitable for all of these purposes.
I generally advise not using MD5 for any applications except (P)RNGs and as
a non-cryptographically-secure checksum.