MD5 To Be Considered Harmful Someday

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

MD5 To Be Considered Harmful Someday

Post by patrikG »

For those who haven't read it on Slashdot:
Slashdot wrote:Effugas writes "I've completed an applied security analysis (pdf) of MD5 given Xiaoyun Wang et al's collision attack (covered here and here). From an applied perspective, the attack itself is pretty limited -- essentially, we can create 'doppelganger' blocks (my term) anywhere inside a file that may be swapped out, one for another, without altering the final MD5 hash. This lets us create any number of binary-inequal files with the same md5sum. But MD5 uses an appendable cascade construction -- in other words, if you happen to find yourself with two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash. Wang released the two files needed (but not the collision finder itself). A tool, Stripwire, demonstrates the use of colliding datasets to create two executable packages with wildly different behavior but the same MD5 hash. The faults discovered are problematic but not yet fatal; developers (particularly of P2P software) who claim they'd like advance notice that their systems will fail should take note."
Source: http://developers.slashdot.org/develope ... =172&tid=8
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Notably, SHA-1 has not been found to have the same flaws. While it is a similar algorithm, and it does share many of the same design concepts with MD5, the current research shows it to be resilient against those same attacks.

The net result is that SHA-1 makes a wonderful drop-in replacement for MD5. With the exception of being 40-bytes instead of 32-bytes, its very much a search/replace situation. :)

In fact, the javascript library I use for SHA1 is *smaller* than the javascript library I use for MD5 - so it actually is better in more ways than one. :)

Of course, beyond SHA1 is SHA-256, although I have yet to find a compact javascript library for it, let alone a decent php implementation.
Post Reply