Paper 2004/357

MD5 To Be Considered Harmful Someday

Dan Kaminsky

Abstract

Joux and Wang's multicollision attack has yielded collisions for several one-way hash algorithms. Of these, MD5 is the most problematic due to its heavy deployment, but there exists a perception that the flaws identified have no applied implications. We show that the appendability of Merkle-Damgard allows us to add any payload to the proof-of-concept hashes released by Wang et al. We then demonstrate a tool, Stripwire, that uses this capability to create two files -- one which executes an arbitrary sequence of commands, the other which hides those commands with the strength of AES -- both with the same MD5 hash. We show how this affects file-oriented system auditors such as Tripwire, but point out that the failure is nowhere near as catastrophic as it appears at first glance. We examine how this failure affects HMAC and Digital Signatures within Digital Rights Management (DRM) systems, and how the full attack expands into an unusual pseudo-steganographic strikeback methodology against peer to peer networks.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Published elsewhere. Unknown where it was published
Contact author(s)
dan @ doxpara com
History
2004-12-14: received
Short URL
https://ia.cr/2004/357
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2004/357,
      author = {Dan Kaminsky},
      title = {MD5 To Be Considered Harmful Someday},
      howpublished = {Cryptology ePrint Archive, Paper 2004/357},
      year = {2004},
      note = {\url{https://eprint.iacr.org/2004/357}},
      url = {https://eprint.iacr.org/2004/357}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.