Description

Created by Ron Rivest, MD5 is an improved version of MD4. Still a 128-bit one-way hash, MD5 has no known attacks, although collisions have been produced using the compression function within MD5. This latter problem leads Schneier to recommend against its use.

MD5 is probably weaker than SHA-1. For hashing a program or long hunk of text, MD5 is theoretically weaker, but the latter weakness is likely to be computationally infeasible.

References

Applied Cryptography, 2nd edition (1996), Bruce Schneier.

See Also

SHA-1, MD4 and MD5.

Notes

This section is a random collection of related notes collected after this page was completed.

As Hans Dobbertin's recent works have shown, the quasi-standard MD5 checksum has weaknesses (for more info, see Hashes).

There is a chance that a malicious attacker can create two files with the same MD5 hash, if he can create both files. If this really becomes true, this creates some interesting threat models for software.

For example, the attacker could create two versions of a program, one correct one and a second one with a back door. He could give the correct version to an expert, who would verify the program and its MD5 checksum (or PGP-sign it, since PGP uses MD5). Then, the attacker hands out the back door version of the program, together with the expert's PGP signature.

Consequences? Yet another reson to distrust code signing. Don't use MD5 for it. SHA-1 and RIPEMD-160, which have been designed with this kind of attack in mind, probably are better choices at the moment, but nobody knows tomorrow's research results...

Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet

More on collisions

From: Geoffrey Leeming >geoffrey@jcp.co.uk<
Subject: Re: MD5 weakness and possible consequences (Re: RISKS-19.14)
Thomas Koenig is correct about the weakness in MD5, but recent postings in sci.crypt mention that he might be incorrect in the possible consequences. The weakness essentially allows an attacker to create two files that would have the same MD5 checksum, under very stringent conditions. However, the chances of finding two executable, meaningful pieces of code that would have the same checksum are so low that it can be considered computationally infeasible to do so.
A more plausible consequence is that two cryptographic keys are created that have the same MD5 checksum. Then any digital certificate for one key would be valid for the second as well.