Re: MD5 hash calculation

["William Allen Simpson" <Bill.Simpson@um.cc.umich.edu>]

> From: hugo@watson.ibm.com
> You asked for proofs: here is an attack that breaks the authentication
> without "unrolling" MD5. (And thus cryptanalysis does NOT require unrolling):
>
>    If you know text and text' for which
>    MD5(text)=MD5(text') then you can replace text by text' without even knowing
>    the key.
>
(sigh)  Try reading the introductory principles of RFC-1321, which says:

   It is conjectured that it is computationally infeasible to produce
   two messages having the same message digest, or to produce any
   message having a given prespecified target message digest.

Quite frankly, I don't see how it is any easier to find MD5(text') than
MD5(key,text',key).  It is the same thing, the hardness of which is the
guiding principle of cryptographic hashing.

But you are partly correct.  You might discover such a hash by luck.
So what?  Real cryptanalysis requires unrolling MD5.

I suppose now you'll insist that all "proofs" should mention "luck".


> a reference to an (eventual) RFC on keyed-MD5, where we'll (hopefully)
> converge to the best acceptable solution.
>
Pretty hard to give references to things that don't yet exist.

Bill.Simpson@um.cc.umich.edu

---

Follow-Ups:

• Re: MD5 hash calculation
• From: "Perry E. Metzger" <perry@imsi.com>

---

• Prev by Date: Re: Proposed message on perfect forward security
• Next by Date: Re: (IPng) Re: Proposed message on perfect forward security
• Prev by thread: MD5 hash calculation
• Next by thread: Re: MD5 hash calculation
• Index(es):
  • Main
  • Thread