On 2019-02-12 17:02:25 -0500 (-0500), Wes Turner wrote:
On Tuesday, February 12, 2019, Wes Turner <wes.turner@gmail.com> wrote: [...]
It is possible to find a nonce value that causes an arbitrary package to have the same MD5 hash as the actual package.
e.g. browsers MUST NOT rely upon MD5 for x.509 certificate SSL/TLS/HTTPS fingerprints for exactly this reason. [...]
I fear we're verging far into armchair crypto here, but you're either making buzzword soup or have a severely flawed understanding of the algorithms involved. There is no nonce in an IETF RFC 1321 (colloquially "MD5 checksum") implementation, so please at least attempt to frame your assertions using terms found in the canonical literature. Creating a malicious package which computes to the same MD5 checksum as an existing package of your choice would require that the second preimage resistance of the MD5 algorithm is broken, or that you got (time complexity 2^128) "lucky." Uses of MD5 elsewhere which mix in attacker-controlled inputs to generate the reference output are another story entirely, but as with the any of the information security field the actual risk depends on your threat model. I'm not about to recommend MD5 to anyone these days, don't get me wrong. There are (at least marginally, again depending on your threat model) better alternatives which require no additional effort if you're designing a system from scratch. But let's not mischaracterize the qualities of any algorithm, as it makes it difficult for someone who does understand the differences to take us seriously. -- Jeremy Stanley