Re: MD5 - what's the alternative

I'm using Digest::MD5 to generate unique cookie values as well as for password authentication. Should I or should I not continue to use Digest::MD5 for those operations?

The vulnerability is that if a 3rd party intercepts the MD5 hash, they can spend a few days of compute time to discover a plain-text input that will produce the same hash. You can mitigate or effectively eliminate the threat by limiting the length plaintext passwords (say, 12 to 16 characters). Then, even if an attacker finds a longer text string that results in the same MD5 hash, they're cut off by the limit.

However, unless you're mixing user-supplied plaintext with some secret string before generating a hash, you're open to dictionary attacks.

MD5 is way down on the list of things I'm worrying about right now, but there's always the chance that I'm being naive.

Comment on Re: MD5 - what's the alternative

Replies are listed 'Best First'.
Re^2: MD5 - what's the alternative by ctilmes (Vicar) on Aug 27, 2004 at 12:05 UTC
You can also throw some private bits into the data stream before hashing. If user supplies PW, which gets hashed to PW', and a 3rd party gets PW', the weakness allows them to discover another password that also hashes to PW'. If you add additional bits to the supplied PW -- PWpri, and hash that to PWpri', which the attacker gets, and using the techniques described, comes up with some bits that also hash to PWpri', they still can't come up with a valid PW that when pri gets added to it also produce PWpri'. Of course, if your security is such that an attacker can discover PWpri', they can probably find pri out anyway, and you're probably owned at that point anyway, so discovering PW is the least of your concerns.	[reply]
Re^2: MD5 - what's the alternative by beable (Friar) on Aug 27, 2004 at 08:22 UTC
I don't understand why you think limiting the length of plaintext passwords to say, 12 to 16 characters will mitigate or eliminate the threat. Surely all that would do is reduce the search space that the attacker has to try to find a matching MD5 hash, making it even easier and quicker to crack the system. That's unless you think that the attacker won't know that you are limiting password length, in which case, aren't you relying on "security through obscurity"? As we all should know, security through obscurity gives a false sense of security, rather than actual security.	[reply]
Re^3: MD5 - what's the alternative by fergal (Chaplain) on Aug 27, 2004 at 09:55 UTC
I think the idea is that if you want to find THE 16 character plaintext it takes 2^128 operations. The new vulnerability means you can find an equivalent (but longer) plaintext in 2^40. So if you limit the password to 16 characters then a longer plaintext with an identical hash is no use. That said, I could be completely wrong about the vulnerability always producing longer strings.	[reply]