Bugtraq mailing list archives
Re: MD5 To Be Considered Harmful Someday
From: Gandalf The White <gandalf () digital net>
Date: Tue, 07 Dec 2004 22:36:27 -0600
Greetings and Salutations: In my first e-mail I meant to congratulate Dan Kaminsky for the fine work and write-up he did. Excellent. On 12/7/04 10:01 PM, "David Schwartz" <davids () webmaster com> wrote:
From my reading it appears that you need the original source to create the doppelganger blocks. It also appears that given a MD5 hash you could not create a input that would give that MD5 back. Passwords encoded with MD5 would not fall prey to your discovery. Is this correct?Correct. You will never be able to find the input given an MD5 hash. It might be possible to, eventually, come up with an input that has the same hash given just the hash, but you could never know if that was the original input or not. (At least, not in general.)
That is the worry that I have for MD5 hashed passwords. It doesn't matter that you get the *correct* password, just that you have input that will hash (collide) to the correct MD5 hash. What I am worried about is the integrity of MD5 hashed passwords. This concern is for both Cisco and *NIX passwords. Lets say that I have a password: "ThisIsMySecretPassphrase" MD5 = $1$Vjuf$t5QYnzXL0Sy4tThvqKDGa1 Lets say that I am very smart and I can use software that is able to generate a collision in the passwords such that the MD5 hashes are the same, say for example: "AshEr37WesW28Er4E2" MD5 = $1$Vjuf$t5QYnzXL0Sy4tThvqKDGa1 It does not matter that I don't know the correct password, I have a password that collides into the correct hash. I can log into the system with my generated password. I just want to make sure that the MD5 hash passwords don't end up being as easy to compute as the Cisco 7 passwords or the NTLM passwords. It actually is beginning to sound like there might be enough of a hole in MD5 that "we" (collectively) had better start working on SHA-2 hashed passwords ... Ken --------------------------------------------------------------- Do not meddle in the affairs of wizards for they are subtle and quick to anger. Ken Hollis - Gandalf The White - gandalf () digital net - O- TINLC WWW Page - http://digital.net/~gandalf/ Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html Trolls crossposts - http://digital.net/~gandalf/trollfaq.html
Current thread:
- MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 07)
- Re: MD5 To Be Considered Harmful Someday Gandalf The White (Dec 07)
- Re: MD5 To Be Considered Harmful Someday Tim (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Dragos Ruiu (Dec 08)
- Re: MD5 To Be Considered Harmful Someday David F. Skoll (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Joel Maslak (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Steve Friedl (Dec 08)
- RE: MD5 To Be Considered Harmful Someday David Schwartz (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Gandalf The White (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Keith Oxenrider (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Paul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Paul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Adam Shostack (Dec 09)
- Re: MD5 To Be Considered Harmful Someday Tim (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Solar Designer (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Pavel Kankovsky (Dec 09)
- Re: MD5 To Be Considered Harmful Someday Solar Designer (Dec 13)
- Re: MD5 To Be Considered Harmful Someday Gandalf The White (Dec 07)
- Re: MD5 To Be Considered Harmful Someday George Georgalis (Dec 08)