MD5 and SHA cracked/broken...

Tim Churches tchur at
Sun Sep 12 00:41:27 CEST 2004

On Sun, 2004-09-12 at 02:59, Magnus Lie Hetland wrote:
> Basically, at Crypto 2004 preliminary papers were presented that
> pointed out weaknesses in MD5, SHA-0 and SHA-1. As far as I can tell,
> MD5 is broken and SHA-1 seems to be in a precarious position (even
> though I don't know the details at all).

IANAC, but it is important to keep in mind that only one aspect of MD-5
and a weakened version of SHA were "broken": collision resistance. My
understanding is that the other important qualities of a cryptographic
has function, preimage resistance and 2nd preimage resistance, were not

Collision resistance is how difficult it is to find two input values
which produce the same has value. Weakened collision resistance
undermines digital signatures (at least in theory - practical attacks
may still be difficult).

Preimage resistance measures the difficulty of finding an input which
results in a particular hash value. You don't know the original input.
Poor preimage resistance undermines the security of hashed passwords and
similar uses.

2nd preimage resistance is the difficulty of finding an input which
hashes to the same value that some other given input hashes to. Like
preimage resistance but you do know the other input value. How is this
different to collision resistance? Collision resistance is the
difficulty of finding ANY two inputs which hash to the same but
arbitrary output value, whereas preimage resistance and 2nd preimage
resistance are about finding input values which hash to a PARTICULAR
output value. Clearly that's much harder, and the recently reported work
didn't address that issue, I think. 


Tim C

PGP/GnuPG Key 1024D/EAF993D0 available from keyservers everywhere
or at
Key fingerprint = 8C22 BF76 33BA B3B5 1D5B  EB37 7891 46A9 EAF9 93D0

More information about the Python-list mailing list