Bugtraq mailing list archives
MD5 To Be Considered Harmful Today
From: Pavel Machek <pavel () ucw cz>
Date: Wed, 8 Dec 2004 02:39:41 +0100
Hi!
I've been doing some analysis on MD5 collision announced by Wang et al. Short version: Yes, Virginia, there is no such thing as a safe hash collision -- at least in a function that's specified to be cryptographically secure. The full details may be acquired at the following link:
Yes, nice paper, and here you have nice story: Okay, lets have two friends and one horse. Let's say Pavel and Bara. Bara owns a horse, and needs money, so she wants to sell it. Horse has some problems with its back, and Bara would be willing to sell it for around $1300. Therefore she's quite surprised when Pavel offers her $14000, and agrees immediately. From: Pavel To: Bara Hi! I'd like to buy Fita. If you accept my offer (msg1), just sign and send it back. :~/misc/md5$ cat msg1 I agree to sell you my horse ^Fita^, its saddle and harness for price 14000 dollars. Signed Bara :~/misc/md5$ md5sum msg1 57ce330a6c6ca8e9ffab4f3b36b2a1a5 msg1 :~/misc/md5$ (Bara signs msg1 and sends it back to Pavel). Two days later, Pavel comes with a car, and $1000. Bara denies she offered Fita for $1000, but can not find copy of the e-mail exchange. Fortunately Pavel has a copy with him, digitaly signed by Bara. They view it on her computer, and verify the signatures. At that point Bara agrees she probably made a mistake, and accepts $1000... :~/misc/md5$ cat msg2 I agree to sell you my horse ^Fita^, its saddle and harness for price 1ยด000 dollars. Signed Bara :~/misc/md5$ md5sum msg2 57ce330a6c6ca8e9ffab4f3b36b2a1a5 msg2 :~/misc/md5$ (With apologies to Bara; let's hope she'll never find out). Pavel PS: I tried it on linux console, and it does some nasty terminal tricks. Of course, if Bara investigated, she'd probably found out how... -- People were complaining that M$ turns users into beta-testers... ...jr ghea gurz vagb qrirybcref, naq gurl frrz gb yvxr vg gung jnl!
Attachment:
msg1
Description:
Attachment:
msg2
Description:
Current thread:
- Re: MD5 To Be Considered Harmful Someday, (continued)
- Re: MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Paul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Adam Shostack (Dec 09)
- Re: MD5 To Be Considered Harmful Someday Solar Designer (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Pavel Kankovsky (Dec 09)
- Re: MD5 To Be Considered Harmful Someday Solar Designer (Dec 13)
- Re: MD5 To Be Considered Harmful Someday George Georgalis (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Today Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Today Pavel Machek (Dec 08)
- Re: MD5 To Be Considered Harmful Today Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Jack Lloyd (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Jack Lloyd (Dec 08)