Re^2: On showing the weakness in the MD5 digest function and getting bitten by scalar context

While it might be amusing to watch people run around in panic over this, I wish they'd stop. They've been told for years that they should avoid MD5; I'm just surprised this discovery wasn't made sooner.

Hear, hear.

Also, I'm not sure on this point, but I don't think SHA-512 adds any security over SHA-1. It increases the size of the bitstream, which is useful for some applications, but finding collisions would take the same amount of time.

Not sure I follow you here. If the best possible collision-finding attack is brute force, shouldn't a longer output translate directly to more work? Are you suggesting that there is a better-than-brute-force attack against SHA-512? I'd have to say that it seems likely that one will be discovered someday. This MD5 discovery shows how much we still have to learn about constructing hash functions.

Comment on Re^2: On showing the weakness in the MD5 digest function and getting bitten by scalar context

Replies are listed 'Best First'.
NIST response on the weakness in the MD5, etc. digests by dwhite20899 (Friar) on Aug 29, 2004 at 16:31 UTC
Just for the record... yes, I work at NIST, but not in the Security division. However, I use hashes at the core of my work - http://www.nsrl.nist.gov/collision.html The official statement is below : http://csrc.nist.gov/ http://csrc.nist.gov/hash_standards_comments.pdf NIST Brief Comments on Recent Cryptanalytic Attacks on Secure Hashing Functions and the Continued Security Provided by SHA-1 Cryptographic hash functions that compute a fixed size message digest from arbitrary size messages are widely used for many purposes in cryptography, including digital signatures. At the recent Crypto2004 conference, researchers announced that they had discovered a way to "break" a number of hash algorithms, including MD4, MD5, HAVAL-128, RIPEMD and the long superseded Federal Standard SHA-0 algorithm. The current Federal Information Processing Standard SHA-1 algorithm, which has been in effect since it replaced SHA-0 in 1994, was also analyzed, and a weakened variant was broken, but the full SHA-1 function was not broken and no collisions were found in SHA-1. The results presented so far on SHA-1 do not call its security into question. However, due to advances in technology, NIST plans to phase out of SHA-1 in favor of the larger and stronger hash functions (SHA-224, SHA-256, SHA-384 and SHA-512) by 2010. SHA-1 and the larger hash functions are specified in FIPS 180-2. For planning purposes by Federal agencies and others, note also that the use of other cryptographic algorithms of similar strength to SHA-1 will also be phased out in 2010.	[reply]
Re^3: On showing the weakness in the MD5 digest function and getting bitten by scalar context by hardburn (Abbot) on Aug 30, 2004 at 12:52 UTC
shouldn't a longer output translate directly to more work? Are you suggesting that there is a better-than-brute-force attack against SHA-512? I wasn't sure, but as I recalled, SHA-512 is useful when you need 512 bits of information, but for something other than security reasons. It'd be no more secure than if you had taken the orginal data, hashed it, flipped a bit in the hash, hashed that, and the concatonted the two hashes together into a value twice the size of orginal hash. It's bigger, but you could still cryptoanaylize the hash with as much work as it would take to get the orginal hash size. However, a lot of other things I've read seem to contrict what I thought I knew; SHA-512 might really be that much more secure, at least as far as brute-forcing goes. "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.	[reply]