[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MD5 hash calculation

To: "William Allen Simpson" <Bill.Simpson@um.cc.umich.edu>
Subject: Re: MD5 hash calculation
From: smb@research.att.com
Date: Tue, 14 Mar 95 13:27:26 EST
Cc: ipsec@ans.net, BURT@RSA.COM

	 (sigh)  Try reading the introductory principles of RFC-1321, which say
	s:

	    It is conjectured that it is computationally infeasible to produce
	    two messages having the same message digest, or to produce any
	    message having a given prespecified target message digest.

	 Quite frankly, I don't see how it is any easier to find MD5(text') than
	 MD5(key,text',key).  It is the same thing, the hardness of which is the
	 guiding principle of cryptographic hashing.

	 But you are partly correct.  You might discover such a hash by luck.
	 So what?  Real cryptanalysis requires unrolling MD5.

No, it's easier to find MD5(text') than MD5(key,text).  The reason is
that in the former case, there's full known plaintext; in the latter,
there's an unknown component.  Furthermore, one can often generate chosen
plaintext going to someone's terminal (this mail message, for example).
If I have a large sample of legitimate packets authenticated by
MD5(key,MD5(text)), then I can attack you if I can generate a nastygram
whose hash matches any if the MD5(text_i)'s in my collection.  I don't
have to know the key.  With MD5(key,text), I have to find some evil
text that will generate the same authentication value *after* concatenation
with a key I don't know.


		--Steve Bellovin

Prev by Date: Re: (IPng) Re: Proposed message on perfect forward security
Next by Date: Re: MD5 hash calculation
Prev by thread: Re: MD5 hash calculation
Next by thread: Re: MD5 hash calculation
Index(es):
- Main
- Thread