Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACYkhxjwW_gRbh-DP+CayrH8RynVxqE_rJouynAzAVfkdcQ6PQ@mail.gmail.com>
Date: Wed, 5 Nov 2014 16:03:44 +1100
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: Re: is MD5 finally dead?

On 5 November 2014 15:45, Alex Gaynor <alex.gaynor@...il.com> wrote:
> As far as I can tell, HMAC doesn't actually require pre-image resistance,
> it requires that the compression function used by the has be a PRF -- or at
> least that's what the HMAC paper says. Are these two formulations
> equivalent?

HMAC fits in the unknown-prefix category when used correctly.

Not sure about general proofs, but the current collision attacks on MD5 won't
work without knowing the IHV ahead of time, and if you know the HMAC key
you don't need collisions.

>> In the case of an unknown-prefix, HMAC[1] or anything requiring a
>> preimage, it's
>> just hardening to use swap out MD5 (and SHA-1).
>>
>> [1] Unless you accidentally swap the key and data fields!

And to elaborate - if you swap the key and data fields, you can use a normal
md5 collision, then XOR against opad.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.