MD5 Collision Source Code Released

SiliconEntity writes "The crypto world was shaken to its roots last year with the announcement of a new algorithm to find collisions in the still widely-used MD5 hash algorithm. Despite considerable work and commentary since then, no source code for finding such collisions has been published. Until today! Patrick Stach has announced the availability of his source code for finding MD5 collisions and MD4 collisions (Coral cache links provided to prevent slashdotting). MD4 collisions can be found in a few seconds (but nobody uses that any more), while MD5 collisions (still being used!) take 45 minutes on a 1.6 GHz P4. At last we will be able to implement various attacks which have been purely hypothetical until now. This more than anything should be the final stake in the heart of MD5, now that anyone can generate collisions whenever they want."

Replacement Hash Functions

[Anonymous Coward]

Recommended replacements are SHA (preferably SHA-2), WHIRLPOOL and/or RIPEMD.

http://en.wikipedia.org/wiki/SHA-2 [wikipedia.org]
http://en.wikipedia.org/wiki/WHIRLPOOL [wikipedia.org]
http://en.wikipedia.org/wiki/RIPEMD-160 [wikipedia.org]

Re:SHA1

[Mind Booster Noori]

SHA-1 is not the sollution [schneier.com].

Re:SHA1

[psykocrime]

So is SHA1 the recommended alternative?

No, see:

http://www.computerworld.com/securitytopics/securi ty/story/0,10801,99852,00.html [computerworld.com]

and

http://www.computerworld.com/softwaretopics/softwa re/story/0,10801,105875,00.html [computerworld.com]

I like this quote:

"SHA-1 is a wounded fish in shark-infested waters, but I'm more worried about MD5 because it's used everywhere," said Niels Ferguson, a cryptographer at Microsoft Corp. "Try to switch away from SHA-1 as quickly as you can, but switch away from MD5 first," he said when asked what recommendations he has regarding the algorithms during a panel discussion at the conference.

"broken" does not mean broken

[Edgewize]

This program is an efficient way to generate two source blocks with the same resulting MD5. This program does NOT allow you to match an arbitrary MD5 hash. That may come some day, but unless I've missed a very important paper somewhere, it has not happened yet.

This does not totally invalidate MD5 for verification. This attack still does not let you poison a torrent feed, etc, unless you are the author of the original source data and you engineered the data specifically to be vulnerable to this attack.

Re:bittorrent?

[Wesley Felter]

BitTorrent uses SHA-1.

Re:So what the hell do I do now?

[yamla]

That's not what MD5 sums are used for. TCP/IP already has packet integrity. MD5 sums are indeed used to make sure you don't have a malware-filled ISO. The trick is that you grab the MD5 sum from a trusted source, then you can grab the ISO image from any mirror site. Assuming MD5 is safe (obviously not the case), you know your downloaded ISO is exactly the same as the one distributed from the central repository.

Re:The end of edonkey

[n0dalus]

No. This only helps you find collisions in two randomly generated strings.
It is still very difficult to produce a colliding file given a pre-existing file on the network.
It should also be noted that edonkey splits a file into 9500KB chunks, and then into smaller chunks again, and hashes each one. It would be far more difficult to produce a chunk that causes collisions on all three levels.
Anyway, I expect an eMule extension will come out soon to allow for sharing of SHA1 hashes between clients (if it doesn't already exist).

Re:So what the hell do I do now?

[Zocalo]

Most things use multiple checksums, for instance on the updated copy of Lynx I just grabbed for Fedora:

$ rpm --checksig lynx-2.8.5-23.2.x86_64.rpm
lynx-2.8.5-23.2.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK
$

So, even if it is also possible to generate collisions for DSA and GPG keys as well as SHA1 and MD5, the chances of being able to generate a collision for all four checksums/signatures at the same time is quite likely infinitesimally small. And that's just for a random file, things are going to get much more complex if you want that random file to can pass as whatever format the original was supposed to be and actually deliver a payload that might do something useful for the cracker.

See pam_unix2 for blowfish in shadow files

[Anonymous Coward]

$2$blah instead of $1$blah MD5 http://www.thkukuk.de/pam/pam_unix2/ [thkukuk.de]. Quite useful.

Re:So you found a collision, big deal

[Krischi]

See this: http://www.cits.rub.de/MD5Collisions/ [cits.rub.de]

It demonstrates the generation of two postscript files with the same MD5 hash that nevertheless display completely differently.

Re:SHA1

[Anonymous Coward]

No, MD5 and SHA1 were found to have better than brute-force attacks within a few months of each other.

Crypto people are recommending SHA-256 or SHA-512 which is only like SHA-1 in name.

Obviously check your the hash length beforehand and make sure your database column is wide enough.

When migrating existing hashes to the new hash be careful not to store the old hash anywhere -- that can be the weak link in the chain. For example, generating passwords and having the MD5 around lets attackers generate valid inputs and then try them against the more computationally complex hash. It gives them an approach to attacking your stronger hash.

Take a copy of your database and hash all the existing passwords into SHA-512 form, and you'll need some way of distinguishing the MD5-to-SHA512 hashes from the SHA512 hashes, so add a date column with todays date in it. Then write a function "hashString" as a wrapper that can identify when something was hashed, and go down a different branch of code based on that.

The first branch does MD5 then SHA512, the second branch does SHA512, and it does this based on the date column.

And, of course, re-salt both branches.

MD5 is still useful.

[Theovon]

This program generates ARBITRARY collisions. Given a tarball of a Linux kernel, you can generate some other file with the same MD5 hash. But can you generate a collision that is also a valid tarball that unpacks cleanly and compiles? The chances of that are so remote that I don't see it happening any time soon.

Here's the real trick. Take your kernel tarball X, and your hacked version Y. Using this collision finder, can you find some garbage Z such that Y appended with Z has the same hash as X? (Tar will, however, complain about extra stuff at the end of the tarball, but it would unpack and compile.) That's a MUCH harder problem than finding arbitrary collisions and would take a HELL of a lot longer to produce than 45 minutes on a PC.

Re:Why?

[ninjaz]

Why not just use 2 different algorithms? Yes, it's possible. Or hell, use 3. Can some one tell me why not this isn't a standard practice? Even if one has a weakness, you still have the other to back it up

I noticed that NetBSD's source-based package management system, pkgsrc [netbsd.org], already does this using SHA1 and RMD160 (apparently RIPEMD-160 [wikipedia.org] is the official name for the digest). Here's what it looks like in the archive fetching phase of a package installation:

=> Checksum SHA1 OK for unzip-5.52/unzip552.tar.gz.
=> Checksum RMD160 OK for unzip-5.52/unzip552.tar.gz.
===> Extracting for unzip-5.52nb2

One might also imagine that colliding two different hash types at the same time would be much more difficult than only at a time, anyway.

Re:So you found a collision, big deal

[andyh1978]

Maybe someone could explain why collisions are a serious problem for MD5. Or at least in what instances they are. I can see that in some cases, such as password hashing this could be a problem.

It's not a problem in password hashing. There is still no feasible way to compute one of the infinite plaintexts that would generate a given MD5 from just the MD5. Rainbow Tables are the main threat there, but they're defeated by salting (e.g. HMAC-MD5) as you have to regenerate the tables all over again (and find the salt in the first place). It doesn't hurt to go to a larger, more complex hash, but for this purpose, there's no additional worries. It's still "preimage resistant".

Re:MD5 is not an encryption algo

[swillden]

t's also the default algorithm to hash passwords (i.e. if you type in your password, it gets hashed into an MD5 sum which is then compared to what the MD5-ed password should be, thereby avoiding plaintext password storage).

Doesn't matter. This attack has no significant effect on password hashing, with or without salt.

This attack allows you to find a pair of plaintexts that hash to the same value; you don't get to pick either the plaintexts or the hash value. It does not help you find a plaintext that hashes to a given value. To use this to attack an unsalted password hashing system you would need to first generate a collision, then convince the target of your attack to set one of those plaintexts to be his/her password, then you could log in using the other plaintext. But if you can convince the target to use a particular password, why not just use that to log in?

This is not an insignificant cryptologic result, and people should move away from MD-5 as fast as practically possible (actually, people have been moving away from it for years due to some results against MD-4, which MD-5 is very similar to) but it doesn't really have any practical implications right now.

Re:SHA-1???

[poemofatic]

Huh? The SHA-2 family have been standardized, approved by NIST, and recommended by the NSA as part of their suite B for some time now. They are *much* more proven than Whirlpool and required for government use, whereas Whirlpool is not allowed for government use. Look at the SHA-512, SHA-384, SHA-256 CMVP instructions and validation lists before you say that NIST has not approved these hashes.

Re:This cannot be used to crack passwords

[Fallingcow]

This cannot be used to crack passwords

It can be used to generate two byte streams having the same hash[....] ... which cracks a password.

The MD5 (or SHA, or whatever) password authentication, the hash is the only thing stored on the machine. When a user inputs a password, the input password is hashed using the same algorithm, and that's compared to the stored hash.

So, a colision would create the same hash, and would thus authenticate just like the real password, assuming it didn't break some input size limit or something.

Q and A

[Sheepdot]

For those of you who store passwords as hashes in your web apps, I've developed a little "Q & A" post here that explains this as best as possible.

Question: Does this mean all my MD5 passwords for all my users can be cracked?
Answer: The short answer is yes, they can be cracked. The long answer is no, not if you used a salt, and the attacker has to get those md5 hashes first. You are not safe you are storing your user's password field input directly to the database ala the php/sql method of:

INSERT INTO users VALUES ('user','" . md5($password) . "');

Question: How should I remedy this?
Answer: Always use a salt or salts. For example in the case above you could use this php/sql method instead:

INSERT INTO users VALUES ('user','" . sha1(md5($password . '¥1i9k') . 'a-thirty-five-ch4racter-l0ng-str1ng' . md5($password)) . "');

Question: How/Why is this safer?
Answer: Collisions are only direct input for the md5 function to get the same md5 hash. So in the above case, $password was directly taken from the user and made into a hash. Assuming an attacker got an SQL injection in and grabbed the database, they could run this collision creator on a hash and produce an input that gave that exact hash.

But, this would be much more difficult with any code that introduced a salt. That is why the second code is better, it includes two salts that the attacker (through his SQL injection) is unable to account for.

Re:SHA1 (NO)

[photon317]

MD5 is dead. SHA-1 is currently dying. They're both based on the same fundamental math, and the attacks on SHA1 are getting stronger and stronger. Now would be a really good time to get off of that entire family of hashes if you can (MD4, MD5, RIPEMD-* SHA-*, etc).

The crypto world is in a little bit of a bind when it comes to strong hashes now. We simply don't have any left that both have a long proven track record of analysis and haven't been seriously compromised. Best bet, IMHO, is to go with a new-blood hash algorithm. They seem to be the answer we're looking for - but of course what they lack is more years of intensive study by the experts for flaws they themselves might harbor.

So if you want to give them a whirl, I'd recommend looking at Tiger and Whirlpool:

http://en.wikipedia.org/wiki/Tiger_(hash) [wikipedia.org]
http://en.wikipedia.org/wiki/Whirlpool_(algorithm) [wikipedia.org]

Re:WTF this source is useless

[Theatetus]

If you RTFRFC [faqs.org] you might notice that those are the variable and section names used in the algorithm specificaiton.

Editors: Change the Links

[theelemur]

The Coral Cache is extremely slow. Please point the links to the original site www.stachliu.com/collisions.html as the html is small/static and the machine it's sitting on has a decent (100mb) connection. Thanks.

Re:This cannot be used to crack passwords

[cnettel]

The program generates byte stream A and B, both having the same hash C. You can't input C and get an arbitrary B out (with this algorithm).

Re:Why?

[Phleg]

Just like mixing medications can have very bad synergistic side effects, so should encryption or hashing technologies be mixed and matched.

As an example, when DES was first known to be broken, the most intuitive solution would be to double-encrypt the plaintext. However, upon cryptographic analysis, this acutally fails to improve the complexity of an attack (and in some cases may simplify it). Thus, Triple DES.

Be very wary of trying to combine "broken" algorithms in an attempt to gain security, especially if you have no real grounding in cryptanalysis. Vulnerabilities in each have a nasty tendency to either amplify or at least complement each other in highly unpredictible ways.

Remember one of the basic tenets of cryptography: it's easy to create an algorithm that you can't break. But just because you can't think of a way to break it doesn't mean there's not a trivial way to do so.

Re:So you found a collision, big deal

[andyh1978]

the problem is that if someone knows the MD5 of a password, they can use this code to generate another password with the same MD5. since passwords are usually stored hashed, an attacker wouldn't need to know the original password, only another password that would generate the same MD5

How?

The collision vulnerabilities do not allow this. They require both the MD5, and the original plaintext, to produce a modified plaintext that has the same MD5.

Think about it - how do you know it's a collision at all, unless you have the original plaintext? A collision is two different plaintexts that produce the same MD5. You can't know if you have a different plaintext unless you have the original plaintext.

If you had the original plaintext, that means you've got the original password, so collisions are entirely irrelevant. You've already got what you need to log in.

There is still no way, other than the brute force enumeration which is made easier to look up through Rainbow Tables, to get from an MD5 to a plaintext that hashes to that MD5 value. The discovery of methods to produce collisions has not weakened MD5 any further - so far only the increase in computing power to produce Rainbow Tables has weakened this particular use. But trivial salting of the values makes Rainbow Tables useless once more [wikipedia.org].

The use of MD5 as a method to checksum files has been blown out of the water, of course. That's the other use, which I'm not arguing about at all. You know both the plaintext and the MD5 there, because you've downloaded the file and the MD5 for the file which you trust can't be forged - which is no longer true.

Re:SHA1

[jacksonj04]

Yes, so

hash1 = md5(input1)
hash2 = sha1(input1)

Then to validate you run the input through the same thing. Like I said, the chances of a valid input colliding with both are ignorably slim.

Re:SHA-1???

[Anpheus]

You're half right, SHA-256, 384, 512 are part of FIPS 180-2. That is, they are approved for government use. FIPS 180-2 [nist.gov] (PDF Warning!)

Brief Caveat: SHA-1 is still more algorithmically secure, as finding a hash is not feasible on desktop computers. SHA-256 and higher length are in the same vein of logic that provides this security, but like any new algorithm, there is an insufficient amount of study to verify this. This applies to Whirlpool as well, AES might be sufficiently secure, but Whirlpool != AES.

Re:So what the hell do I do now?

[swillden]

So, even if it is also possible to generate collisions for DSA and GPG keys as well as SHA1 and MD5, the chances of being able to generate a collision for all four checksums/signatures at the same time is quite likely infinitesimally small.

Actually, only SHA1 and MD5 need collide. DSA and GPG aren't used for hashing. DSA is used for signing the hashes, and GPG just implements and structures all of the above.

Still, you're right that finding collisions for both MD5 and SHA-1 on the same pair of files is extremely unlikely.

And that's just for a random file, things are going to get much more complex if you want that random file to can pass as whatever format the original was supposed to be and actually deliver a payload that might do something useful for the cracker.

Hammerhead, meet nail.

Re:MD5 is not an encryption algo

[dotgain]

You don't seem to understand... Having the MD5 hash of a piece of software and the ability to generate a collision for that hash will logically lead to more code which can take any dll/exe, inject malicous code along with whatever other random garbage characters are needed to produce the collision. Yes, the sizes will be different but even that can be fudged given the sophistication of today's hackers. You don't seem to read the article. We don't yet have the ability to create a plaintext that will map to a predetermined hash value.

While we might discover that "Donald Duck" has the same hash as "a", we don't get to choose either. We can't say "gimme a plaintext that hashes to this: 0x4faed...", all we can do so far is say "find two plaintexts that will give us the same hash"

Not that this doesn't mean this is a very serious matter. My take on the situation is: "Oh. Shit."

Re:MD5 is not an encryption algo

[Haeleth]

You don't seem to understand... Having the MD5 hash of a piece of software and the ability to generate a collision for that hash will--

Stop right there, because it's quite clear that the one who doesn't understand is you. Nobody has the ability to generate a collision for a given MD5 hash. All we have is the ability to generate two bits of random junk that share the same hash. This makes some attacks possible, but it does not make it possible for you to distribute a malicious version of someone else's software that has the same MD5 hash as their version.

Re:Q and A

[slashdotmsiriv]

You got the whole deal wrong. The published attacks are not able to find a second preimage that is: for a certain y = h(x) find x' such that h(x')=h(x)=y.
All this salt deal is completely redundant. Salts would make finding second preimages harder but it is already hard.
Ppl need to realize that collision resistance is not the same as second preimage resistance. What the so called attack on MD5 does is finding collisions, random pairs that actually hash to the same value. The probability those pairs hash to hash values that you find in password records is negligible. It is almost as probable as trying random passwords until you find the one you are looking for.

MD5 was designed to be both collision and second preimage resistant. These guys in China showed it is not collision resistant. That is a great theoretical result, but far from useful in practice. It remains second preimage resistant, so enough with this fake hype.

Your passwords are completely safe if stored as hashes.

MD5 and digital signatures

[dido]

The main problem with MD5 as it's used today comes when MD5 is used as a component of a digital signature scheme. Most digital signature schemes based on public key crypto work like this:

1. Generate hash of document to be signed
2. Encrypt hash of document using signer's private key (this is the signature)
3. Send document along with signed hash to whoever cares

To verify a digital signature, the following is performed:

1. Recompute hash of signed document
2. Decrypt signature using signer's public key, producing calculated hash
3. Compare computed hash and signed hash--if they match, signature is authentic

Now, it's easy to see why this spate of collision attacks on hashing algorithms is so deadly. If, given some signed document, you can produce another document that verifies to the same signature, well, I guess you're in a world of hurt. If these documents happen to be public key certificates, well, the whole PKI more or less collapses. And well, here's a bit of news: someone has done just that [win.tue.nl] with X.509 certificates based on MD5.

Re:MD5 collisions is a non-issue

[slashdotmsiriv]

"You can generate collisions at any point in a file simply by starting with the partial MD5 sum up to the point in the file that you want to insert the block at.
" That's incorrect. MD5 operates over 512-bit blocks and uses state generated from the hash of the previous blocks to generate the new state for the current block. The state is actually the 4 words of the 128 digest.
Here is the alg from wikipedia:
init h0
init h1
init h2
init h3
for each 512-bit chunk of message
break chunk into sixteen 32-bit little-endian words w(i), 0 i 15 //Initialize hash value for this chunk: var int a := h0
var int b := h1
var int c := h2
var int d := h3

//Main loop:
for i from 0 to 63
if 0 i 15 then
f := (b and c) or ((not b) and d)
g := i
else if 16 i 31
f := (d and b) or ((not d) and c)
g := (5×i + 1) mod 16
else if 32 i 47
f := b xor c xor d g := (3×i + 5) mod 16 else if 48 i 63
f := c xor (b or (not d)) g := (7×i) mod 16

temp := d
d := c
c := b
b := ((a + f + k(i) + w(g)) leftrotate r(i)) + b
a := temp
//Add this chunk's hash to result so far: h0 := h0 + a
h1 := h1 + b
h2 := h2 + c
h3 := h3 + d
var int digest := h0 append h1 append h2 append h3 //(expressed as little-endian) What these guys have done is to find 512 bit blocks or larger that return the same hash given the same initial state h0, h1, h2, h3. As u can see above, if you find a collision for state i, ho, h1, h2, h3 the same collision will not work for the different state MD5 will have say after processing a number of blocks. It is computationally feasible to find many collisions for the initial state but to find collisions for all possible states and to have these collisions occuring in the original file is very hard. So, no you cannot simply search the file for blocks that are among the blocks for which u found a collision and then simply replace them with their collision. The MD5 for which you found the collision and the MD5 that is used over the file are essentially two different functions and will not hash to the same value. As for the rest of your comments: I hope you realize that you don't just give their program an MD5 hash and it outputs two values that hash to that output. MD5 has been shown not to be collision resistant but it is still preimage and second preimage resistant. I explicitly said that we assume the signer is trusted, you did not need to say anything about trusted parties. If the signer is not trusted the whole signed code scheme is meaningless.

MOD ME DOWN

[swillden]

The parent comment, which I wrote, was based on a severe misunderstanding of the extent of the capability of the attack. In particular, I didn't realize that the attack could find collisions even with arbitrary, attacker-specified IVs. What that means is that it is indeed possible to generate x.509 certificates containing different keys but the same MD5 hash (and therefore the same signature). In fact, it's been done [win.tue.nl].

Re:breaking torrents?

[joecr]

One Minor problem is that BitTorrent actually uses SHA not MD5 for it's hashing. Check out the following link for more information. http://dessent.net/btfaq/#hash-check [dessent.net]

How to calculate SHA-2 under GNU/Linux

[YA_Python_dev]

A lot of people have the programs md5sum and sha1sum installed, but they often don't have equivalent programs for the SHA-2 family. To calculate those you can use the command:

gpg --print-mds [files]

or you can download a dedicated program: http://www.ouah.org/~ogay/sha2/ [ouah.org].

Re:SHA1

[Anonymous Coward]

If you can find a collision in one, you can, for pretty much the same work, find a collision in the second hash. Cascading hash functions like this DOES NOT WORK.

Look up the Joux Multicollision paper from 2004 CRYPTO. This is a famous result.

This scheme you propose has been broken by Joux.

-Matt

Re:Doesn't Microsoft networking still use MD4?

[Anonymous Coward]

Yes, Active Directory enviroments still strongly encourage storing the password in MD4 hash format. Also, to take advantage of the 802.1x authentication client built into XP SP2 also requires the password to be stored in MD4 hash format.

When you read "nobody" on Slashdot, it means that the egos of SiliconEntity and Zonk does not allow them to believe that there is an entire world that use something different than they do. If you replace "nobody" with "I" (or royal "we") then the comment makes more sense, such as "We the Zonk choose never to use MD4."

The biggest problem with this "me" focused view of the world is that it misses where people indirectly use MD4. If you are an employee, have a bank account, use any utilities, belong to an HMO/PPO, etc. then you probably indirectly trust MD4 to authenticate who has access to your personal information.

Thank goodness for disclosure laws like in CA which at least notify use after the fact how truely 0wn3d our personal data is.

Re:Q and A

[Anonymous Coward]

Ouch! No, don't use your suggested hashing algo.

Lets go over a couple of problems in what you pointed:
- Getting code can be easy: In the past there have been several php source disclosure vulnerabilities. While there are no currently known ones, it doesn't mean there won't be again.
- Incorrect configuration can reveal source: re-install Apache but forget to put the php module? Source! Also, if you have different virtual paths to the same source, with different executability configurations, you may very well have a disclosure problem without knowing it.
=> Conclusion: don't rely on a fixed, hard coded secret!

Next, assuming the attacker had read access to both your DB and source (and $GLOBAL):
sha1(md5($username . $password . 'salt1') . 'salt2' . $GLOBALS['somesetvalue'])
This becomes:
sha1(md5($username . $password . known) . known)
For a dictionary attack, this becomes no more dificult then:
hash($username . $password)
Further more, md5 generates a 64 bit hashs, sha1 generates a 128 bit hash. It is quite likely that it would be possible to authoritatively revers the md5 value from the sha1, eliminating sha1 from the equation. hashing a 64 bit value into 128 bits is no more secure than hashing into 64 bits.

That said, using a user-name as a salt has the added downfall that if two sites use the same method (and extra constant salts) both will hash to the same value. This means you can authoritatively say that a given user has the same password on both sites, without knowing the password.

The best solution, as the parent poster pointed out before suggesting a username based solution, is to have a randomly assigned salt for each user.

Re:bittorrent?

[Breakfast Pants]

He was talking about poisoned seeds. And theoretically SHA-1 isn't fine for this and is vulnerable to the same flaws as MD5. It isn't practical now (and certainly not as practical as poisoning kazaa shares... where every other byte in a file is skipped(!) for performance when generating a hash).

Adi Shamir's Hash Function *IS* 'unbreakable'....

[iamcf13]

Let Ron 'RSA' Rivest tell you why....

(from material at the Pure Crypto Project - http://senderek.de/pcp/ [senderek.de] )

Quote below from http://senderek.de/pcp/pcp-security.html [senderek.de]

Adi Shamir once proposed the following hash function:

          Let n = p*q be the product of two large primes, such that
          factoring n is believed to be infeasible.

          Let g be an element of maximum order in Z_n^* (i.e. an
          element of order lambda(n) = lcm(p-1,q-1)).

          Assume that n and g are fixed and public; p and q are secret.

          Let x be an input to be hashed, interpreted as a
          non-negative integer. (Of arbitrary length; this may be
          considerably larger than n.)

          Define hash(x) = g^x (mod n).

Then this hash function is provably collision-resistant, since
the ability to find a collision means that you have an x and
an x' such that

          hash(x) = hash(x')

which implies that

          x - x' = k * lambda(n)

for some k. That is a collision implies that you can find a
multiple of lambda(n). Being able to find a multiple of lambda(n)
means that you can factor n.

I would suggest this meets the specs of your query above.

                  Cheers,
                  Ron Rivest

Ronald L. Rivest
Room 324, 200 Technology Square, Cambridge MA 02139
Tel 617-253-5880, Fax 617-258-9738, Email

The nice thing about Adi Shamir's hash function is that it, as well as the RSA cryptosystem co-created with Rivest and Len Adleman is all based on simple modular exponentiation.

Too bad the Feds consider arbitrary precision mathematics used for encryption purposes to be 'a munition' and 'a controlled export'.... :(

Years ago, they raked Phil Zimmerman [philzimmermann.com] over the coals over his email cryptosystem PGP then (eventually) left him alone.

Can't cryptosavvy individuals secure the details of their affairs with strong encryption WITHOUT being hassled by 'the Man'?...

P.S. However, Rivest came up with a scheme that gives you 'confidientiality *without* encryption' through a scheme he calls Chaffing and Winnowing [mit.edu]

Enjoy! :)

Exactly!

[0xB00F]

Because that would require the hashed password and a preimage attack.

See here [cryptography.com].

Summary for those who are lazy:

• This is a collision attack. The attacker will be able to find two messages that will produce the same hash, but the attacker cannot choose what the hash will be. So this rules out attacks on hashed passwords.
• Since a collision attack can find to messages that will produce the same hash, it is possible to use this to break message signing, such as DSA and RSA. where a hash of the message is generated first and then signed cryptographically.
• Collision attacks cannot be used to tamper with existing SSL certificates. It can be used to craft a CSR which will allow you to receive a server certificate with a collision to one containing a wildcard for the domain name and an expiration date far in the future. This by far is one of the most dangerous exploits because most CA's will issue certificates without completely verifying the identity of the requester.
• Because of the way MD5 is used in SSL 3.0/TLS, these attacks do not affect it.
• Collision attacks do not affect MD5 and SHA-1 when they are used in an HMAC. So even though a hash function can be broken by either by collision attacks, they can still be used safely in HMAC.
• Tampering a signed binary is only possible using a preimage attack.
• All will have naturally collisions. How exploitable they are depends on how easy it is to find those collisions.

In conclusion, the value of this attack/exploit is only relative to how the hash function is used in an application. Just because this exploit and source code for it exists, that does not that these hashing algorithms are completely useless.