oss-sec mailing list archives
Re: is MD5 finally dead?
From: Michael Samuel <mik () miknet net>
Date: Wed, 5 Nov 2014 16:03:44 +1100
On 5 November 2014 15:45, Alex Gaynor <alex.gaynor () gmail com> wrote:
As far as I can tell, HMAC doesn't actually require pre-image resistance, it requires that the compression function used by the has be a PRF -- or at least that's what the HMAC paper says. Are these two formulations equivalent?
HMAC fits in the unknown-prefix category when used correctly. Not sure about general proofs, but the current collision attacks on MD5 won't work without knowing the IHV ahead of time, and if you know the HMAC key you don't need collisions.
In the case of an unknown-prefix, HMAC[1] or anything requiring a preimage, it's just hardening to use swap out MD5 (and SHA-1). [1] Unless you accidentally swap the key and data fields!
And to elaborate - if you swap the key and data fields, you can use a normal md5 collision, then XOR against opad.
Current thread:
- is MD5 finally dead? Kurt Seifried (Nov 04)
- Re: is MD5 finally dead? Michael Samuel (Nov 04)
- Re: is MD5 finally dead? Alex Gaynor (Nov 04)
- Re: is MD5 finally dead? Michael Samuel (Nov 04)
- Re: is MD5 finally dead? Alex Gaynor (Nov 04)
- Re: is MD5 finally dead? Solar Designer (Nov 04)
- Re: is MD5 finally dead? coderman (Nov 04)
- Re: is MD5 finally dead? Michael Samuel (Nov 04)