Disclaimer: I'm sitting in a meeting that is making me grumpy and this is one of my pet-peeves... I keep hearing people making the assertion that MD5 is "broken" -- this is not completely true. Yes, there have been collisions found -- yes, I can easily (and quickly) generate 2 inputs that generate the same output... What is not trivial is for you to generate another input that will generate (eg): 0x56f39544ebca88f261f2087dab3d7e61 or, given 0x56f39544ebca88f261f2087dab3d7e61 to figure out what input I provided. There was a brief flurry of media attention around the time of Vlastimil's tiunneling work saying "MD5 Broken!!!". Many people (not necessarily anyone on the list) just read the sensationalist headlines with no understanding as to what had been accomplished... As with any tool, you need to understand the capabilities and limitations before using it. Once again, this is one of those things that just pushes my buttons, sorry if I went off on a rant... W P.S: Yes thanks, I am feeling better now :-) On Jan 29, 2008, at 7:35 PM, Frank Bulk wrote:
I think I need to eat crow on the MD5 comment -- I was confused with SHA, which although has been attacked, is still holding up: http://www.schneier.com/blog/archives/2007/01/sha1_cracked.html
Frank
-----Original Message----- From: Steven M. Bellovin [mailto:smb@cs.columbia.edu] Sent: Tuesday, January 29, 2008 9:13 PM To: frnkblk@iname.com Cc: michael.dillon@bt.com; nanog@nanog.org Subject: Re: potential hazards of Protect-America act
On Tue, 29 Jan 2008 20:28:05 -0600 "Frank Bulk" <frnkblk@iname.com> wrote:
Pretty good in the generalities, but there are few finer technical points that could be been precisely and accurately stated. One that comes to mind was the MD5 reference, another was the "50% loss" when talking about performing an optical split.
Speaking as one of the authors, we did our best. (But what do you mean about MD5? That was taken straight from the FOIAed FBI documents, and from conversations with people in law enforcement I'm quite certain that MD5 is still used -- inappropriately! -- in sensitive places.)
--Steve Bellovin, http://www.cs.columbia.edu/~smb