Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Nov 2014 08:09:00 +0300
From: Solar Designer <>
Subject: Re: is MD5 finally dead?

On Tue, Nov 04, 2014 at 09:21:49PM -0700, Kurt Seifried wrote:
> It seems like MD5 should probably be classed with DES as instant CVE
> win, either now, or pretty soon....

Depends on use case, like before.

Surely there are uses of both MD5 and DES where the choice of these
primitives is not a vulnerability.  For example, md5crypt is not
affected by MD5 collisions.  (It's EOL'ed by the author for other
reasons, though.)  Similarly, the use of DES in BSDI/FreeSec extended
crypt() is not a vulnerability (it's 64-bit hash space is a bit too
small, etc., but that's another matter).  And 3DES is still OK.

For yet another example, while HMAC-MD5 shouldn't be used for new
designs, there's no known realistic attack on it yet:

New Proofs for NMAC and HMAC - Cryptology ePrint Archive

New Proofs for NMAC and HMAC: Security without Collision-Resistance

"  Therefore, it may not be urgent to remove HMAC-MD5 from the existing
   protocols.  However, since MD5 must not be used for digital
   signatures, for a new protocol design, a ciphersuite with HMAC-MD5
   should not be included."

Curious comments by Thomas Pornin and Dmitry Khovratovich on whether
e.g. MD5's compression function may be a PRF or not (and thus whether
the HMAC proof fully applies or not) despite of its insufficient
collision resistance:


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.