Re: MD5 hash calculation

["Perry E. Metzger" <perry@imsi.com>]

"William Allen Simpson" says:
> (sigh)  Try reading the introductory principles of RFC-1321, which says:
> 
>    It is conjectured that it is computationally infeasible to produce
>    two messages having the same message digest, or to produce any
>    message having a given prespecified target message digest.
> 
> Quite frankly, I don't see how it is any easier to find MD5(text') than
> MD5(key,text',key).  It is the same thing, the hardness of which is the
> guiding principle of cryptographic hashing.

Actually, Bill, Hugo does indeed have a good point here which I don't
think was being considered. It should actually be easier to find a
collision than to deduce the keys and also find a collision.

> But you are partly correct.  You might discover such a hash by luck.
> So what?  Real cryptanalysis requires unrolling MD5.

Well, a cryptographic hash has several properties here that are under
consideration. Non-invertability and not being able to produce
collisions are different properties, although the mechanisms by which
they are achieved are similar. In MD5(MD5(text)+key) you need merely
find a colliding text. For MD5(key+text+key) you do actually have to
determine what the key was -- much harder.

Given that our hash functions might be imperfect this might be a
second level of protection. Certainly it protects against an Oorschot
and Wiener Machine being used against you since that can only find
collisions, not reversals of the hash.

Perry

---

References:

• Re: MD5 hash calculation
• From: "William Allen Simpson" <Bill.Simpson@um.cc.umich.edu>

---

• Prev by Date: Re: MD5 hash calculation
• Next by Date: Re: (IPng) Re: Proposed message on perfect forward security
• Prev by thread: Re: MD5 hash calculation
• Next by thread: Re: MD5 hash calculation
• Index(es):
  • Main
  • Thread