[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MD5 hash calculation
"William Allen Simpson" says:
> (sigh) Try reading the introductory principles of RFC-1321, which says:
> It is conjectured that it is computationally infeasible to produce
> two messages having the same message digest, or to produce any
> message having a given prespecified target message digest.
> Quite frankly, I don't see how it is any easier to find MD5(text') than
> MD5(key,text',key). It is the same thing, the hardness of which is the
> guiding principle of cryptographic hashing.
Actually, Bill, Hugo does indeed have a good point here which I don't
think was being considered. It should actually be easier to find a
collision than to deduce the keys and also find a collision.
> But you are partly correct. You might discover such a hash by luck.
> So what? Real cryptanalysis requires unrolling MD5.
Well, a cryptographic hash has several properties here that are under
consideration. Non-invertability and not being able to produce
collisions are different properties, although the mechanisms by which
they are achieved are similar. In MD5(MD5(text)+key) you need merely
find a colliding text. For MD5(key+text+key) you do actually have to
determine what the key was -- much harder.
Given that our hash functions might be imperfect this might be a
second level of protection. Certainly it protects against an Oorschot
and Wiener Machine being used against you since that can only find
collisions, not reversals of the hash.