Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20141105050900.GA2055@openwall.com>
Date: Wed, 5 Nov 2014 08:09:00 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: is MD5 finally dead?

On Tue, Nov 04, 2014 at 09:21:49PM -0700, Kurt Seifried wrote:
> http://natmchugh.blogspot.co.uk/2014/10/how-i-created-two-images-with-same-md5.html
> 
> 
> It seems like MD5 should probably be classed with DES as instant CVE
> win, either now, or pretty soon....

Depends on use case, like before.

Surely there are uses of both MD5 and DES where the choice of these
primitives is not a vulnerability.  For example, md5crypt is not
affected by MD5 collisions.  (It's EOL'ed by the author for other
reasons, though.)  Similarly, the use of DES in BSDI/FreeSec extended
crypt() is not a vulnerability (it's 64-bit hash space is a bit too
small, etc., but that's another matter).  And 3DES is still OK.

For yet another example, while HMAC-MD5 shouldn't be used for new
designs, there's no known realistic attack on it yet:

New Proofs for NMAC and HMAC - Cryptology ePrint Archive
https://eprint.iacr.org/2006/043.pdf

New Proofs for NMAC and HMAC: Security without Collision-Resistance
http://cseweb.ucsd.edu/~mihir/papers/hmac-new.html

http://crypto.stackexchange.com/questions/9336/is-hmac-md5-considered-secure

https://tools.ietf.org/html/rfc6151

"  Therefore, it may not be urgent to remove HMAC-MD5 from the existing
   protocols.  However, since MD5 must not be used for digital
   signatures, for a new protocol design, a ciphersuite with HMAC-MD5
   should not be included."

Curious comments by Thomas Pornin and Dmitry Khovratovich on whether
e.g. MD5's compression function may be a PRF or not (and thus whether
the HMAC proof fully applies or not) despite of its insufficient
collision resistance:

http://crypto.stackexchange.com/questions/268/security-of-n-bit-hmac

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.