[3858] in cryptography@c2.net mail archive
Re: MD5
daemon@ATHENA.MIT.EDU (Eric Murray)
Sat Dec 26 13:29:18 1998
Date: Sat, 26 Dec 1998 10:16:36 -0800
From: Eric Murray <ericm@lne.com>
To: Ben Laurie <ben@algroup.co.uk>
Cc: Eric Murray <ericm@lne.com>, Andrew Maslar <amaslar@home.com>,
Cryptography List <cryptography@c2.net>
In-Reply-To: <36851EA9.8DE5CAE@algroup.co.uk>; from Ben Laurie on Sat, Dec 26, 1998 at 05:36:42PM +0000
On Sat, Dec 26, 1998 at 05:36:42PM +0000, Ben Laurie wrote:
> Eric Murray wrote:
> >
> > On Fri, Dec 25, 1998 at 11:37:03AM -0500, Andrew Maslar wrote:
> > > Hello all.
> > >
> > > I'm new to the list; hope I can be helpful some day.
> > > But first a question:
> > >
> > > I'm toying around with various protocols for key exchange, and I wonder,
> > > if an attacker intercepted the result of the following operation:
> > >
> > > md5(x) + md5(x + y + z)
> > >
> > > (the +'s mean concatenation)
> > >
> > > and the attacker already knew:
> > >
> > > 1. the nature of the operation
> > > 2. x
> > > 3. z
> > >
> > > Could s/he compute y?
> >
> > You really want to ask "how hard would be for an attacker
> > to compute y?". It's always possible, it's just a question
> > of being practical (or more properly, cost-effective for
> > the attacker).
>
> Surely in the case of MD5 (or any other hash) the question is "how hard
> would it be for an attacker to compute a value that gives the same
> result as y?". Of course, y is one candidate, but generally there are an
> infinity of them, right?
Right.
The way I read Andrew's question, y is a secret to be used in the
key exchange. So, while it's easier to compute, a y' which isn't y
but produces the same hash as y would not result in a listener
being able to discover the secret.
However, generating a hash collision might allow another attack, such
as MITM.
--
Eric Murray N*Able Technologies www.nabletech.com
(email: ericm at the sites lne.com or nabletech.com) PGP keyid:E03F65E5
