From: agermain@cmp.com (Germain Arthur)
To: mab@crypto.com (Matt Blaze)
Message Hash: 9902022df4a70c998ea626d9ee5e685a55502c27c3812c843b95c687538e9fcd
Message ID: <1995Oct25.093455.1151.341098@smtpgate.cmp.com>
Reply To: N/A
UTC Datetime: 1995-10-25 13:35:05 UTC
Raw Date: Wed, 25 Oct 95 06:35:05 PDT
From: agermain@cmp.com (Germain Arthur)
Date: Wed, 25 Oct 95 06:35:05 PDT
To: mab@crypto.com (Matt Blaze)
Subject: RE: Hash collisions [was Re: MD5 weaknes
Message-ID: <1995Oct25.093455.1151.341098@smtpgate.cmp.com>
MIME-Version: 1.0
Content-Type: text/plain
I have unsubscribed from this mailing list. Please remove my name from
your personal address lists. Thanks.
ahg3
----------
From: Matt Blaze[SMTP:mab@crypto.com]
Sent: Tuesday, October 24, 1995 3:02 PM
To: hallam
Cc: cypherpunks
Subject: Hash collisions [was Re: MD5 weakness ? ...]
>
>>As to weaknesses, I seem to remember that someone managed to forge a
>>modification to a program used to observe networks on a Sun so that it
>>had the same MD5 checksum as the official trusted version. But whether
>>this is real is not strictly the issue.
>
>Ron has not mentioned such an event to me and if that were the case I
would
>seriously doubt that he would not have been told about it. The only
comment
he
>generally makes is that he wrote MD5 because "MD4 was making me
nervous".
>
>>In the case of the trust being placed in MD5 by Netscape, the
assumption
>>being made (without adequate support as far as I can tell) is that an
>>MD5 checksum cannot be forced, through a chosen plaintext attack, to
>
>Netscape do not simply use the MD5 of the message, they are using (as I
>understand it) the PKCS#1 standard for makoing the signature. If not
they
>probably have severe problems.
>
>>There has been no limit given by anyone on this list to the level of
>>trust they place in MD5. Several people have posted (without
>>contention) that MD5 is sufficiently trustworthy to trust billions of
>>dollars in commerce to it's being able to prevent a selected plaintext
>>attack as eluded to above.
>
>NIST and the NSA trusted MD4 sufficiently to base SHA upon it. SHA is
preferab
le
>in many ways to MD5, it has a different approach to extending the
scheduling
a
nd
>resist differential cryptanalysis. There is a problem with the
compressor
>function of MD5 which I dislike. This is fairly irrelevant though since
SSL
>allows other digests to be used.
>
> Phill
I hesitate to jump in to this exchange given the defensive and
vague nature of the discussion, but...
While I agree that SHA seems preferable, for a number of reasons,
to MD5, it is worth noting that Hans Dobbertin of the German Information
Security Agency recently found a collision in MD4. His attack
allows you to generate a pair of plainexts that generate the same hash.
A fast technique for finding a second plaintext that hashes to some given
value remains an open problem with MD4 (and SHA and MD5, for that
matter).
As far as I can tell the attack does not readily generalize to MD5
or SHA.
-matt
Return to October 1995
Return to “Kari Laine <buster@klaine.pp.fi>”