[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MD5 hash calculation

"William Allen Simpson" says:
> (sigh)  Try reading the introductory principles of RFC-1321, which says:
>    It is conjectured that it is computationally infeasible to produce
>    two messages having the same message digest, or to produce any
>    message having a given prespecified target message digest.
> Quite frankly, I don't see how it is any easier to find MD5(text') than
> MD5(key,text',key).  It is the same thing, the hardness of which is the
> guiding principle of cryptographic hashing.

Actually, Bill, Hugo does indeed have a good point here which I don't
think was being considered. It should actually be easier to find a
collision than to deduce the keys and also find a collision.

> But you are partly correct.  You might discover such a hash by luck.
> So what?  Real cryptanalysis requires unrolling MD5.

Well, a cryptographic hash has several properties here that are under
consideration. Non-invertability and not being able to produce
collisions are different properties, although the mechanisms by which
they are achieved are similar. In MD5(MD5(text)+key) you need merely
find a colliding text. For MD5(key+text+key) you do actually have to
determine what the key was -- much harder.

Given that our hash functions might be imperfect this might be a
second level of protection. Certainly it protects against an Oorschot
and Wiener Machine being used against you since that can only find
collisions, not reversals of the hash.