potential hazards of Protect-America act

• Previous message (by thread): potential hazards of Protect-America act
• Next message (by thread): potential hazards of Protect-America act
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Disclaimer: I'm sitting in a meeting that is making me grumpy and this  
is one of my pet-peeves...

I keep hearing people making the assertion that MD5 is "broken" --  
this is not completely true. Yes, there have been collisions found --  
yes, I can easily (and quickly) generate 2 inputs that generate the  
same output...

What is not trivial is for you to generate another input that will  
generate (eg): 0x56f39544ebca88f261f2087dab3d7e61 or, given  
0x56f39544ebca88f261f2087dab3d7e61 to figure out what input I provided.

There was a brief flurry of media attention around the time of  
Vlastimil's tiunneling work saying "MD5 Broken!!!". Many people (not  
necessarily anyone on the list) just read the sensationalist headlines  
with no understanding as to what had been accomplished...

  As with any tool, you need to understand the capabilities and  
limitations before using it.

Once again, this is one of those things that just pushes my buttons,  
sorry if I went off on a rant...

W

P.S: Yes thanks, I am feeling better now :-)

On Jan 29, 2008, at 7:35 PM, Frank Bulk wrote:

>
> I think I need to eat crow on the MD5 comment -- I was confused with  
> SHA,
> which although has been attacked, is still holding up:
> http://www.schneier.com/blog/archives/2007/01/sha1_cracked.html
>
> Frank
>
> -----Original Message-----
> From: Steven M. Bellovin [mailto:smb at cs.columbia.edu]
> Sent: Tuesday, January 29, 2008 9:13 PM
> To: frnkblk at iname.com
> Cc: michael.dillon at bt.com; nanog at nanog.org
> Subject: Re: potential hazards of Protect-America act
>
> On Tue, 29 Jan 2008 20:28:05 -0600
> "Frank Bulk" <frnkblk at iname.com> wrote:
>
>>
>> Pretty good in the generalities, but there are few finer technical
>> points that could be been precisely and accurately stated.  One that
>> comes to mind was the MD5 reference, another was the "50% loss" when
>> talking about performing an optical split.
>>
> Speaking as one of the authors, we did our best.  (But what do you  
> mean
> about MD5?  That was taken straight from the FOIAed FBI documents, and
> from conversations with people in law enforcement I'm quite certain
> that MD5 is still used -- inappropriately! -- in sensitive places.)
>
>
>                --Steve Bellovin, http://www.cs.columbia.edu/~smb
>

• Previous message (by thread): potential hazards of Protect-America act
• Next message (by thread): potential hazards of Protect-America act
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]