And any application, especially a security application that ignores the congectural nature of the uniqueness factor of md5s, and relies upon that uniqueness, is broken--not by this discovery, but by design.Everything is conjecture, I'm afraid. If you're holding out for absolute proof of security, you will be waiting a long time.
What assurances we have come from mathematical proofs that assume the existence of a collision-free hash function(1) and reason from there. Since someone has found a way to generate collisions, that makes the proofs useless for MD5. You are correct in pointing out that the collisions that are generated take a particular form, and that form may or may not expose an actual vulnerability in real cryptographic protocols. We could try to prove that no vulnerability exists, but the proofs would become fiendishly difficult, and not everyone would have confidence in the ability of mathematicians to get them right. The prudent course of action is to switch to a hash function for which the original conjecture still holds.
(1) Collision-free is a technical term meaning collisions are hard to find, not that they don't exist. Some proofs don't need the collision-free property, so I guess they're still safe. Void where taxed, licensed, or restricted. Professional driver -- do not attempt.
Others must reach their own conclusions, based on their knowledge of their uses of md5...Another interesting thing about cryptography is that everyone thinks they're an expert.
In reply to Re^12.5: On showing the weakness in the MD5 digest function and getting bitten by scalar context
by Anonymous Monk
in thread On showing the weakness in the MD5 digest function and getting bitten by scalar context
by grinder
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |