Re: is MD5 finally dead?

[Solar Designer <solar () openwall com>]

On Tue, Nov 04, 2014 at 09:21:49PM -0700, Kurt Seifried wrote:
> http://natmchugh.blogspot.co.uk/2014/10/how-i-created-two-images-with-same-md5.html
>
>
> It seems like MD5 should probably be classed with DES as instant CVE
> win, either now, or pretty soon....

Depends on use case, like before.

Surely there are uses of both MD5 and DES where the choice of these
primitives is not a vulnerability.  For example, md5crypt is not
affected by MD5 collisions.  (It's EOL'ed by the author for other
reasons, though.)  Similarly, the use of DES in BSDI/FreeSec extended
crypt() is not a vulnerability (it's 64-bit hash space is a bit too
small, etc., but that's another matter).  And 3DES is still OK.

For yet another example, while HMAC-MD5 shouldn't be used for new
designs, there's no known realistic attack on it yet:

New Proofs for NMAC and HMAC - Cryptology ePrint Archive
https://eprint.iacr.org/2006/043.pdf

New Proofs for NMAC and HMAC: Security without Collision-Resistance
http://cseweb.ucsd.edu/~mihir/papers/hmac-new.html

http://crypto.stackexchange.com/questions/9336/is-hmac-md5-considered-secure

https://tools.ietf.org/html/rfc6151

"  Therefore, it may not be urgent to remove HMAC-MD5 from the existing
   protocols.  However, since MD5 must not be used for digital
   signatures, for a new protocol design, a ciphersuite with HMAC-MD5
   should not be included."

Curious comments by Thomas Pornin and Dmitry Khovratovich on whether
e.g. MD5's compression function may be a PRF or not (and thus whether
the HMAC proof fully applies or not) despite of its insufficient
collision resistance:

http://crypto.stackexchange.com/questions/268/security-of-n-bit-hmac

Alexander