[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MD5 hash calculation

> From: smb@research.att.com
> No, it's easier to find MD5(text') than MD5(key,text).  The reason is
> that in the former case, there's full known plaintext; in the latter,
> there's an unknown component.

How does that help?  If you are capable of modifying a text to produce
the same hash, then you don't need to know the unknown component.

The security of hashing rests on the resistance to generating another
with the same hash, not the secret itself.

> Furthermore, one can often generate chosen
> plaintext going to someone's terminal (this mail message, for example).
> If I have a large sample of legitimate packets authenticated by
> MD5(key,MD5(text)), then I can attack you if I can generate a nastygram
> whose hash matches any if the MD5(text_i)'s in my collection.  I don't
> have to know the key.  With MD5(key,text), I have to find some evil
> text that will generate the same authentication value *after* concatenation
> with a key I don't know.
I don't understand the difference.  If you have a collection of text
authenticated with MD5(key,text), you still have the same list of
possible hashes, and you can substitute the same pre-authenticated
chosen plaintext without knowing the key at all.

Again, the security rests on the difficulty and likelihood of finding
the match, not on the secret itself.