More bad news for MD5
Although it has been known for some years now that the MD5 hashing algorithm is vulnerable to collisions (where two or more different original samples produce the same hash after passing through the MD5 algorithm), practical demonstration of this fact has been limited to proofs of concept that tend to contain both samples within the same dataset and displaying one or the other based on some predefined condition. In these samples, passing both sets of data every time that something needs to be checked sort of defeats the purpose of having the collision and makes it readily apparent there is something amiss on bit-level investigation of the data.
New research has raised some interesting alternatives for people seeking to demonstrate (or exploit) the nature of MD5 hashes more readily. With the techniques discussed in the linked paper, it is possible to create two distinct sets of data and prepend seemingly random data to both sets and create new sets that generate valid MD5 collisions. Though the "prefix attack" is not new and it isn't the first time that it has been considered for application to generating MD5 collisions, it is the first time that a reliable demonstration has been provided that works on arbitrary initial data, rather than specially-seeded proof of concept samples.
So, what is the impact of this research? Since the initial discovery of repeatable MD5 hash collision, it was recommended that developers and administrators start moving away from the algorithm for password checking (if you only have a hash you don't have the original, but if multiple original samples can generate the same hash it makes the password non-unique) and for validation of downloaded software (such as Linux distributions and many software download sites employ) to verify that what you have downloaded matches what the developers initially released. In the past, MD5 checking has been useful in identifying when download repositories have been poisoned, but this recent demonstration will make it much easier to do so, without the benefit of the MD5 signature alerting to a problem.
19 December 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.