From: Newsgroups: sci.crypt Subject: MD5 discussion Date: 11 Jun 1996 14:22:03 GMT Organization: CompuServe Incorporated Lines: 38 Message-ID: <4pjvec$1c6@dub-news-svc-4.compuserve.com> NNTP-Posting-Host: hd43-009.compuserve.com Content-Type: text/plain Keywords: MD5 Content-length: 2222 X-Newsreader: AIR Mosaic (16-bit) version 3.10.08.25 In view of the continuing discussion about MD5, I want to make a few comments, which hopefully can help to avoid some misunderstandings and misinterpretations: 1. In February 1996 my paper "Cryptanalysis of MD4" appeared (Fast Software Encryption, Cambridge Proceedings, Lecture Notes in Computer Sciences, vol. 1039, Springer-Verlag, 1996, pp. 71-82). In this paper, as an example two versions of a contract are given with the same MD4 hash value. Alf sells his house to Ann, in the first version the price is $176,495 and in the second it is $276,495. The contracts have been prepared by Alf. Now if Ann signs the first version with $176,495 then Alf can altered to price to $276.495 ... In principle this risk occurs, if you use a hash function for which (senseful) collisions can be found, whenever you allow another person to have influence on the contents of a document you are signing. Certainly this does not happen very often in practical applications. But sometimes you *must* have an agreement about a text (contract) which is then signed by two or more parties. And these are often just the most important applications! 2. I suspect that the recent attack on MD5 compress can be refined and extended such that it might lead to MD5 collisions (matching the right IV) and perhaps then even to similar results as already obtained for MD4. Certainly this requires a lot of hard additional work. 3. If you write a message for your own (nobody else has influence on it) and sign it using MD5 (and a strong public key algorithm, of course) then there is no danger that it can be altered (at least according to our knowledge today)! Thus it is true that I guess almost all of you will have no risk using MD5, for instance in PGP. However, if you accept 2., then in some cases there could be problems ... 4. After all I have reservations against keeping MD5 as a (de facto) standard, because 2. might indicate that there is a serious security problem with MD5. 5. My conclusions are: no reason for panic, but in future implementations better move away from MD5. 6. Presently a paper discussion the status of MD5 in detail is in preparation. - Hans Dobbertin