Dobbertin's 1996 collision demonstration is another good reason not to use md5, but is obviously hasn't gotten the open source community or Apple to stop. Whether my attack will be any more successful in effecting change remains to be seen. Publishing SHA1 hashes in parallel with md5 seems like such an inexpensive thing to do, but one should never underestimate cryptographic inertia. For the record, I first published my attack on Perry Metzger's cryptography list in February, 2002.

Arnold Reinhold

At 5:56 PM -0400 4/4/04, Don Davis wrote:
hi, mr. reinhold --

there's stronger reason than the ones you cite,
to distrust md5 as a message-digest.  see these
old sci.crypt threads, and the google-search below,
for discussions of hans dobbertin's 1996 crack
of md5:

btw, in a phone conversation, dobbertin emphasized
to me that his attack only works when md5 is used
as a message-digest; it doesn't work when md5 is
used with a key to prepare a MAC.  he also mentioned
that while sha-1 may be vulnerable to an attack of
a similar style (because sha-1 is similar in struc-
ture to md5), he himself was forbiddden by german
law to work to cryptanalyze sha-1, because he worked
at that time for the german federal security service,
and so wasn't allowed to attack the USG's standard
ciphers.  now he's at ruhr university (in bochum),
but i don't know whether he's more of a free agent.

- don davis, boston

 From: "Arnold G. Reinhold" <[EMAIL PROTECTED]>
 Subject: [Mac_crypto] Apple should use SHA! (or stronger) to authenticate
 List-Id: Macintosh Cryptography <>
 List-Archive: <>
 Date: Sun, 4 Apr 2004 06:17:55 -0500

 The cryptographic hash function MD5 has long been used to
 authenticate software packages, particularly in the Linux/Unix/open
 source community. This has carried over to Apple's OS-X. The MD5 hash
 of an entire package is calculated and its value is transmitted
 separately from the package. Users who download the package compute
 the hash of the copy they received and match that value against the

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to