Tuesday, June 14, 2005

MD5 Collisions

CITS - MD5 Collisions

"One of the main workhorses of modern cryptography are collision resistant hash functions. Given an (almost) arbitrarily long input M, they produce a fixed-size output H(M). Collision resistance means that it is infeasible to find two different inputs M and M' with the same hash H(M)=H(M'). Note that many collisions exist, but it has to be infeasible to actually find even a single collision!

...

Based on [WY05], we implemented an attack to find random collisions for the MD5 compression function. It took just a few hours on a customary PC. Using the length extension property present in MD5 and all other hash functions following the (almost omnipresent) Merkle-Damgaard design principle, we constructed a pair of documents to display either the letter or the order.

...

There have already been a few exploits of the collision-finding attacks against MD5: Kaminski [Ka] and Mikle [Mi] presented different executables with the same MD5 hash. One of Kaminski's executables was quite harmless, the other one very harmful. Mikle's executables were self-extracting archives, extracting different stuff. Lenstra, Wang and de Weger [LWdW,LdW] constructed colliding X.509 certificates.
..."



We've heard that MD5/SHA hashes were "broken", but this puts a little different spin on it for me. This is a good article on how meaningful MD5 collisions could happen, and even be used, in the real world. This article shows how two totally different files have the same MD5, while remaining human meaningful.

Pretty interesting and a little scary considering how prevalent MD5 is in my field.

Sigh, time to start looking and planning for a replacement...

(via Slashdot - Meaningful MD5 Collisions)

No comments: