oss-sec mailing list archives
Re: is MD5 finally dead?
From: Alex Gaynor <alex.gaynor () gmail com>
Date: Wed, 05 Nov 2014 04:45:46 +0000
As far as I can tell, HMAC doesn't actually require pre-image resistance, it requires that the compression function used by the has be a PRF -- or at least that's what the HMAC paper says. Are these two formulations equivalent? Alex On Wed Nov 05 2014 at 8:42:59 PM Michael Samuel <mik () miknet net> wrote:
Hi, On 5 November 2014 15:21, Kurt Seifried <kseifried () redhat com> wrote:http://natmchugh.blogspot.co.uk/2014/10/how-i-created-two-images-with-same-md5.htmlIt seems like MD5 should probably be classed with DES as instant CVE win, either now, or pretty soon....This is the same chosen-prefix attack that was used to forge certificates. Using md5 in a collision-hostile environment is definitely CVE worthy, and has been for a while. (BTW, no CVE for rsync yet) In the case of an unknown-prefix, HMAC[1] or anything requiring a preimage, it's just hardening to use swap out MD5 (and SHA-1). [1] Unless you accidentally swap the key and data fields!
Current thread:
- is MD5 finally dead? Kurt Seifried (Nov 04)
- Re: is MD5 finally dead? Michael Samuel (Nov 04)
- Re: is MD5 finally dead? Alex Gaynor (Nov 04)
- Re: is MD5 finally dead? Michael Samuel (Nov 04)
- Re: is MD5 finally dead? Alex Gaynor (Nov 04)
- Re: is MD5 finally dead? Solar Designer (Nov 04)
- Re: is MD5 finally dead? coderman (Nov 04)
- Re: is MD5 finally dead? Michael Samuel (Nov 04)