Comments on: MD5 considered primeval

By: Nate Lawson

Nate Lawson — Tue, 04 Nov 2008 18:26:19 +0000

ivan, while I do think you guys are the best hackers in the world, I agree with you that using MD5 is indefensible. Thanks for the nice links.

By: ivan

ivan — Thu, 30 Oct 2008 15:24:28 +0000

The likelihood too low??

http://www.coresecurity.com/files/attachments/Richarte_MD5-Harmful-today.pdf

Two executable files with the same MD5 hash, crc-32, checksum-32 and checksum-16:
http://www1.corest.com/corelabs/projects/research_topics/Richarte_md5-crc32-cksum16-cksum32.zip

Two executable file with the same MD5 hash:
http://www1.corest.com/corelabs/projects/research_topics/Richarte_md5-2-collisions.zip

Eight files with the same MD5 hash:
http://www1.corest.com/corelabs/projects/research_topics/Richarte_md5-8-collisions.zip

Turns out that I work with the best hacker in the world!@#$

By: Nate Lawson

Nate Lawson — Tue, 16 Sep 2008 18:12:05 +0000

Yes, no one has published second pre-image attacks on MD5 yet. However, you can’t seriously be defending its continued use in any modern system.

As for MD5’s use with forensics, all criminals can place the known MD5 colliding “magic string” in their data. Then, if caught, produce a totally innocent set of data that matches the same MD5 sums Cellebrite got. Now there’s reasonable doubt that the evidence could have been tampered with.

MD5 should be retired quickly, even for uses where second pre-image resistance is all that’s needed. Cellebrite’s competitors got the message back in 2003. Why are they trying to ignore this?

By: Gavin

Gavin — Tue, 16 Sep 2008 16:43:57 +0000

From the site linked to
“It is important to note that the hash value shared by the two different files is a result of the collision construction process. We cannot target a given hash value, and produce a (meaningful) input bit string hashing to that given value.”

It is not unreasonable to use MD5sums for tamper detection unless someone is able to generated targeted hashs.