MD5 to be considered dangerous?

Today I found a quite disturbing mail sent to Bugtraq, in which Dan Kaminsky shortly describes a way to generate more than one file with the same MD5 hash, and links to a paper explaining it further. And if that were not enough, Pavel Machek sent another mail telling a little story and demonstrating Kaminsky’s claims with a little story about a scam. I checked the files attached to his mail, and yes, we have two similar (but different) files with the same MD5 hash: <code=”bash”>~$ md5sum /tmp/msg1 /tmp/msg2 ; diff –brief /tmp/msg1 /tmp/msg2 57ce330a6c6ca8e9ffab4f3b36b2a1a5 /tmp/msg1 57ce330a6c6ca8e9ffab4f3b36b2a1a5 /tmp/msg2 Files /tmp/msg1 and /tmp/msg2 differ </code> This attack is still not practical for real scamming or supplantation. If we are signing files that will be processed by a computer (say, Debian packages, .tar.gz, ISO images, whatever), they will not be in a valid format to be installed. If, as in Machek’s story, the files are to be human-parsed, there is too much cruft around the text for a human not to get suspicious. But anyway, this is a proof of concept, and it will surely be refined in the future… All hashing functions will somehow present collisions, I know. They must, however, not be artificially generable with choosable content. I am not a cryptologist, nor I claim I will ever be.. But anyway, probably we will end up losing confidence in MD5 hashes, in favor of another hashing algorithm. Directly signing/verifying the whole file is not quite feasible, as assymetric keys are just too heavy to do such work. However, the installed base and trust that MD5 currently has will be challenged… Let’s see what comes out of this.

Comments

KBrown 2005-01-06 22:52:58

RE: MD5 to be considered dangerous?

What happens with sha1 hashes on both files? Are they different?

I think as an immediate workaround to doublesign with SHA1 and MD5 so a malicious cryprographyst will not be able to force a collision on both algorythms at the same time.