OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bastian Schmick (schmick_at_nue.et-inf.uni-siegen.de)
Date: Tue Jul 09 2002 - 08:59:56 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi!

    --On Dienstag, 9. Juli 2002 15:37 +0200 Peer Stefan <stefan.peertiwag.at>
    wrote:

    > [...]
    >> p.s. : it exits a attack against md5, but i can't describe
    >> details at the moment, i ask my prof.
    >
    > i really want to know more about this attack. please ask your professor
    > and post the details ;-)

    I forgot to post this to the list:

    ---------- Forwarded Message ----------
    Date: Dienstag, 9. Juli 2002 15:50 +0200
    From: Bastian Schmick <schmicknue.et-inf.uni-siegen.de>
    To: Christian Röpke <christian.roepkedirectbox.com>
    Subject: Re: [suse-security] Password Encryption

    Hi!

    --On Dienstag, 9. Juli 2002 15:14 +0200 Christian Röpke
    <christian.roepkedirectbox.com> wrote:

    > [...]
    > p.s. : it exits a attack against md5, but i can't describe details at the
    > moment, i ask my prof. __________________________________________________

    In 1996 a german researcher found a way to produce "collisions" in the
    compression function of MD5 (in about 10 hours on a 100 MHz Pentium I), but
    IIRC could not extend this attack to the full algorithm. Details are here:

    <http://www.rsasecurity.com/rsalabs/faq/3-6-6.html>
    <ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf>
    <http://www.informatik.uni-mannheim.de/informatik/pi4/projects/Crypto/rgp/m
    d5/dobbertin.ps>

    This is a serious academic weakness of the algorithm, but surely nothing to
    worry about in practical applications. Attackers who have the required
    resources for this kind of attack will certainly be able to find completely
    different ways to compromise the security of your linux box.

    By the way: The same goes for DES. There has been no practical attack
    against the structure of the cipher. It is simply outdated, because

    a) it is very slow in software and
    b) it´s keysize is far too small to protect against brute force attacks
    with today´s computing power (I guess, that´s what you meant with "attack")

    Still, you need a considerable amount of computation to break DES and
    attackers might just as well find different ways to break into your system.

    Hope this helps.

    Greetings,
    Bastian.

    ---------- End Forwarded Message ---------- 

    -- 
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here