MD5 Collision Source Code Released

primo · 11-15-2005, 10:06 PM

It's no joke:
http://it.slashdot.org/it/05/11/15/2...tid=93&tid=228

http://www.stachliu.com.nyud.net:8090/md5coll.c
http://www.stachliu.com.nyud.net:8090/md4coll.c

tkedwards · 11-20-2005, 11:53 PM

According to what I've read it doesn't, in practice, make it any easier or faster to reverse (ie. crack) password hashes such as are used in Linux's /etc/shadow. Still it'd be good to see distros getting away from it as a default ASAP and moving to something like SHA-256.

cs-cam · 11-21-2005, 01:22 AM

Quote:

According to what I've read it doesn't, in practice, make it any easier or faster to reverse (ie. crack) password hashes

You still can't reverse a hash, that remains impossible. All this does is generate a string that will generate the same hash as another string, at least that's my understanding.

tkedwards · 11-21-2005, 04:51 AM

Its not impossible - it only takes a few days or hours with a modern computer to reverse an MD5 hash, and that was regardless of the recent collision discoveries. You'd hope with SHA-256 or something like that it'd be at least impractical to reverse it - ie. it'd take years or centuries or more.

Quote:

All this does is generate a string that will generate the same hash as another string, at least that's my understanding.

Yeah that's the impression I got as well. It's a real danger because it means that you can generate, for example, a trojaned ISO file that has the same MD5 sum as the real one.

primo · 11-21-2005, 05:11 PM

(the slashdot post has very misleading information)

What the algorithm does is not reverse a hash, not even (still) finding M2 such that H(M1) = X = H(M2), but finding both M1 and M2, the so-called birthday attack. A hash is theoretically secure if the birthday attack is approached by brute-force, but now there's an algorithm to do so.

I still don't know how much it affects shadow hashes. Salts only protects us from rainbow tables (that is, a collection of hashes of known passwords). Fortunately, recent distros have crypt-blowfish. You may configure it with /etc/login.conf. Just add / change the line to: ":passwd_format=blf:\"

tkedwards · 11-21-2005, 06:10 PM

Quote:

You may configure it with /etc/login.conf. Just add / change the line to: "

asswd_format=blf:\"

What distro is that on? I've just had a look on both Mandriva2006 and Centos4 and couldn't see anything like that. I think the blowfish stuff needs to be setup and some packages have it built in for it to work. Suse offers the option of blowfish passwords doesn't it?

primo · 11-21-2005, 06:52 PM

Try with PAM in /etc/pam.d/system-auth and maybe /etc/libuser.conf

ddaas · 11-23-2005, 08:46 AM

Have you tried the C program for that published md5 weakness? Could you found out a md5 collision?
I couldn’t .... and I let it working for 2 days on a P3 1Gz processor...