[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MD5 hash calculation

	 (sigh)  Try reading the introductory principles of RFC-1321, which say

	    It is conjectured that it is computationally infeasible to produce
	    two messages having the same message digest, or to produce any
	    message having a given prespecified target message digest.

	 Quite frankly, I don't see how it is any easier to find MD5(text') than
	 MD5(key,text',key).  It is the same thing, the hardness of which is the
	 guiding principle of cryptographic hashing.

	 But you are partly correct.  You might discover such a hash by luck.
	 So what?  Real cryptanalysis requires unrolling MD5.

No, it's easier to find MD5(text') than MD5(key,text).  The reason is
that in the former case, there's full known plaintext; in the latter,
there's an unknown component.  Furthermore, one can often generate chosen
plaintext going to someone's terminal (this mail message, for example).
If I have a large sample of legitimate packets authenticated by
MD5(key,MD5(text)), then I can attack you if I can generate a nastygram
whose hash matches any if the MD5(text_i)'s in my collection.  I don't
have to know the key.  With MD5(key,text), I have to find some evil
text that will generate the same authentication value *after* concatenation
with a key I don't know.

		--Steve Bellovin