Re: MD5 math question

[Tim <tim-security () sentinelchicken org>]

Hi exon,

> One approach to take when brute-forcing passwords could be to simply add 
> random bytes to a stream until it collides and then using a 
> collision-generator to generate a collision short enough to not be 
> discarded by the password validation mechanism. Those with deeper 
> insights into the MD5 algorithm could probably come up with which bytes 
> to add to make it collide faster, but it still means brute-forcing an 
> MD5 password of considerable length is down from months to mere hours.

Interesting idea.  If a cracker actually cared about the *real* password
that the user chose, then this might be useful.  If he just cared about
*a* password that makes the hash, it is irrelevant though.


> All this is ofcourse theory. I don't know enough cryptography to 
> determine what is possible and what isn't, but since SHA1 hasn't been 
> broken (yet) and there are enough open and free implementations of it to 
> go around I'm a bit surprised to find that MD5 is considered for use in 
> new applications.

Um...  You didn't get the news about SHA1?

  http://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html

It's definately broken.  It'll take a few years before people can do it
as quickly as they can with MD5, and I don't know of any tools people
have written, but don't rely on it either for collision resistance.

tim

-------------------------------------------------------------------------------
Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
-------------------------------------------------------------------------------