[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MD5 hash calculation

To: ipsec@ans.net
Subject: Re: MD5 hash calculation
From: "William Allen Simpson" <Bill.Simpson@um.cc.umich.edu>
Date: Wed, 15 Mar 95 14:12:10 GMT

> From: smb@research.att.com
> No, it's easier to find MD5(text') than MD5(key,text).  The reason is
> that in the former case, there's full known plaintext; in the latter,
> there's an unknown component.

How does that help?  If you are capable of modifying a text to produce
the same hash, then you don't need to know the unknown component.

The security of hashing rests on the resistance to generating another
with the same hash, not the secret itself.


> Furthermore, one can often generate chosen
> plaintext going to someone's terminal (this mail message, for example).
> If I have a large sample of legitimate packets authenticated by
> MD5(key,MD5(text)), then I can attack you if I can generate a nastygram
> whose hash matches any if the MD5(text_i)'s in my collection.  I don't
> have to know the key.  With MD5(key,text), I have to find some evil
> text that will generate the same authentication value *after* concatenation
> with a key I don't know.
>
I don't understand the difference.  If you have a collection of text
authenticated with MD5(key,text), you still have the same list of
possible hashes, and you can substitute the same pre-authenticated
chosen plaintext without knowing the key at all.

Again, the security rests on the difficulty and likelihood of finding
the match, not on the secret itself.

Bill.Simpson@um.cc.umich.edu

Prev by Date: Re: (IPng) More Endpoint Attributes
Next by Date: Re: MD5 hash calculation
Prev by thread: Re: MD5 hash calculation
Next by thread: Re: MD5 hash calculation
Index(es):
- Main
- Thread