Re: Moving away from MD5
Galen Hazelwood wrote: >Forced to choose, I would say SHA-1. The design parameters aren't >_that_ secret; there's an excellent discussion and comparison in >Schneier's "Applied Cryptography" 2nd Ed. (You don't have a copy? >Shame on you!) Of course I have a copy (shame on you for suggesting that I don't :-), but Schneier didn't know about the weaknesses in MD5 when he wrote that book. >I'll look at RIPEMD-160 as you suggested, but am skeptical for now. When you do that, please keep in mind that Hans Dobbertin (the guy who cryptanalyzed MD4 and MD5) is one of the authors of RIPEMD-160, and that SHA-1 came out before that method of attack became public knowledge. -- Thomas Koenig, [EMAIL PROTECTED], [EMAIL PROTECTED] The joy of engineering is to find a straight line on a double logarithmic diagram. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Moving away from MD5
Santiago Vila Doncel wrote: >BTW: Just curiosity: I would be delighted to see two different files >having the same md5sum. Do you have a simple example? See http://www.ph.tn.tudelft.nl/~visser/hashes.html . Dobbertin's paper, http://www.ph.tn.tudelft.nl/~visser/dobbertin.ps , shows an example [ with a different IV, but it still shows that MD5 is quite vulnerable]. SHA-1 has been designed before Dobbertin's attack methods became public knowledge. Three possibilities: it's vulnerable, it's not vulnerable by accident, or it's not vulnerable because the authors had design criteria they didn't publish. RIPEMD-160, OTOH, was written afterwards, specifically to be resistant to this kind of attack (with Dobbertin one of its authors :-) WRT space requirements: An attacker who tries to create two files with equal hash functions for a n-bit hash only needs around 2^(n/2) operations if he uses a so-called birthday attack, so the 128 bit of md5 only provide 64 bits of "real" security. A 160 bit hash does sound much better (although I'd still sleep more soundly with 256 bit, but there's no good 256 bit hash available at the moment). -- Thomas Koenig, [EMAIL PROTECTED], [EMAIL PROTECTED] The joy of engineering is to find a straight line on a double logarithmic diagram. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Moving away from MD5
Thomas Koenig wrote: > An attractive alternative would be RIPEMD-160. SHA-1, another > alternative, has the main problem that its design parameters are secret. > Source code for RIPEMD-160 is avialiable, and the algorithm is in the > public domain. For more information, you can check out > http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html Forced to choose, I would say SHA-1. The design parameters aren't _that_ secret; there's an excellent discussion and comparison in Schneier's "Applied Cryptography" 2nd Ed. (You don't have a copy? Shame on you!) I'll look at RIPEMD-160 as you suggested, but am skeptical for now. --Galen -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Moving away from MD5
-- Start of PGP signed section. > On Mon, 23 Jun 1997, Thomas Koenig wrote: > > > I think we should start moving away from MD5 as our main hash function. > > MD5 has known weaknesses so that an attacker can quite possibly create > > two files, differing maybe in a single bit or in quite a few bytes, but > > having the same MD5 checksum. [..] > BTW: Just curiosity: I would be delighted to see two different files > having the same md5sum. Do you have a simple example? I'd be delighted to see two files with just a single bit changed have the same MD5 checksum too: given one file of length L, there are only L*8 bits you can change. As an md5sum is 128 bits long, it can take 2**128 values, i.e. significantly more possibilities than you have in flipping bits. So, for file sizes smaller than say 500M Bytes, I'd say you need at least 4 bit-flips[1] to have reasonable a chance of getting the same md5sum back. I don't really believe it's possible get the same MD5 checksum by just flipping one bit. But 4 bits, yes it should be theoretically possible. [1] 500M Byte = 2**32 bits. With those 4 bit-flips, you can make (2**32)**4 combinations = 2**128 = number of different md5sum's -- joost witteveen, [EMAIL PROTECTED] #!/usr/bin/perl -sp0777ihttp://www.dcs.ex.ac.uk/~aba/rsa/ -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Moving away from MD5
Thomas Koenig wrote: > I think we should start moving away from MD5 as our main hash function. > An attractive alternative would be RIPEMD-160. > http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html This is probably a good thing to agree to do, before Klee redesigns dpkg to handle verification and other things (I think he's in California doing contract work right now). One drawback is that it is 3 times as slow - and I assume that the output of the hash function is going to take 25% more bytes to represent it. Is there an equivalent of the md5sum program for it? Sound like a good idea to me, but I'm no expert on crypto. Cheers, - Jim pgpQV4UJ6Zh2Y.pgp Description: PGP signature
Re: Moving away from MD5
-BEGIN PGP SIGNED MESSAGE- On Mon, 23 Jun 1997, Thomas Koenig wrote: > I think we should start moving away from MD5 as our main hash function. > MD5 has known weaknesses so that an attacker can quite possibly create > two files, differing maybe in a single bit or in quite a few bytes, but > having the same MD5 checksum. As far as I know, Debian uses MD5 sums to avoid "random" alteration of files, not as a security measure against crackers, but I may be wrong. BTW: Just curiosity: I would be delighted to see two different files having the same md5sum. Do you have a simple example? -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: latin1 iQCVAgUBM66o0yqK7IlOjMLFAQHCsAP+OmOKorI69AZgN/t2XIa7Pljnw98imQl0 FaGs8/O4Qawtm/Iptu69hrsWn6bEgpOeA3NzeNgU12OknpTYl5jkniOqqwMSQjEM kJFu436Bf01DUR9jeT+73JeM0U0QBK7n53dOrefdyPir0MSA/+CdlFyJNJk/NB96 KOyoxT2zdjQ= =dNMM -END PGP SIGNATURE- -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Moving away from MD5
I think we should start moving away from MD5 as our main hash function. MD5 has known weaknesses so that an attacker can quite possibly create two files, differing maybe in a single bit or in quite a few bytes, but having the same MD5 checksum. Also, 128 bits are starting to be in the range that can be attacked by brute force with a "birtday attack", which requires only about 2^64 operations. Check out comp.risks, 19.14 for one possible attack using this scheme. There may be others. An attractive alternative would be RIPEMD-160. SHA-1, another alternative, has the main problem that its design parameters are secret. Source code for RIPEMD-160 is avialiable, and the algorithm is in the public domain. For more information, you can check out http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html -- Thomas Koenig, [EMAIL PROTECTED], [EMAIL PROTECTED] The joy of engineering is to find a straight line on a double logarithmic diagram. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .