是否有任何已发表的研究表明,MD5的前景攻击是迫在眉睫的? [英] Does any published research indicate that preimage attacks on MD5 are imminent?
问题描述
事实上,碰撞攻击在MD5上现在相当容易。有些人遇到碰撞攻击的艺术,甚至可以使用它们预测选举 。
我发现大多数MD5破碎的例子不太有趣。即使着名的CA证书黑客是碰撞袭击意味着它证明该方同时产生了良好的和EVIL的证书。这意味着如果EVIL CA发现自己的方式进入野外,那么可以证明它已经从具有良好CA的人泄露出来,因此被信任。
preimage 或第二次图像前攻击。
MD5的preimage攻击有多可能?有没有目前的研究表明这是即将来临的? MD5是否容易受到碰撞攻击的事实使得更有可能遭受前景攻击?
在密码学建议中通常不会预测未来,因为这是不可能做到的。相反,密码学家尝试评估已知和已发布的内容。为了适应潜在的未来攻击,密码系统通常被设计为具有一定的安全余地。例如。加密密钥通常选择比绝对必要的更长一点。出于同样的原因,一旦发现了弱点,就避免了算法,即使这些弱点只是证明性的。
特别是,RSA实验室建议在1996年放弃MD5签名Dobbertin在压缩函数中发现碰撞。压缩函数中的冲突并不意味着哈希函数中的冲突存在,但是除非我们可以找到它的压缩函数的冲突,否则我们找不到MD5的冲突。因此,RSA实验室决定他们不再对MD5s的抗冲击性有信心。
今天,我们处于类似的状况。如果我们确信哈希函数具有抗冲突性,那么我们也可以确信哈希函数是防前映像的。但是MD5有很大的缺陷。因此,许多密码学家(包括像Arjen Lenstra这样的人)认为,MD5不再具有必要的安全余地,即使在只依赖于抗前象阻力的应用中也是如此,因此建议不再使用它。密码学家无法预测未来(所以不要寻找这样做的论文),但他们可以推荐合理的预防措施来防范潜在的攻击。推荐不再使用MD5是一个这样合理的预防措施。
I keep on reading on SO that MD5 is broken, bust, obsolete and never to be used. That angers me.
The fact is that collision attacks on MD5 are now fairly easy. Some people have collision attacks down to an art and can even us use them to predict elections.
I find most of the examples MD5 "brokeness" less interesting. Even the famous CA certificate hack was a collision attack meaning that its provable that the party generated the GOOD and EVIL certificates at same time. This means that if the EVIL CA found its way into the wild, it is provable that it leaked from the person who had the good CA and thus was trusted anyway.
What would be a lot more concerning is a preimage or second preimage attack.
How likely is a preimage attack on MD5? Is there any current research to indicate that it is imminent? Is the fact that MD5 is vulnerable to collision attacks make it more likely to suffer a preimage attack?
In cryptography recommendations are not generally made by predicting the future, as this is impossible to do. Rather cryptographers try to evaluate what is already known and published. To adjust for potential future attacks, cryptosystems are generally designed so that there is some safety margin. E.g. cryptographic keys are generally chosen a little bit longer than absolutely necessary. For the same reason algorithms are avoided once weaknesses are found, even if these weaknesses are just certificational.
In particular, the RSA Labs recommended to abandon MD5 for signatures already in 1996 after Dobbertin found collisions in the compression function. Collisions in the compression function do not imply that collisions in the hash function exist, but we can't find collisions for MD5 unless we can find collisions for its compression function. Thus the RSA Labs decided that they no longer have confidence in MD5s collision resistance.
Today, we are in a similar situation. If we are confident that a hash function is collision resistant then we can also be confident that the hash function is preimage resistant. But MD5 has significant weaknesses. Hence many cryptographers (including people like Arjen Lenstra) think that MD5 no longer has the necessary safety margin to be used even in applications that only rely on preimage resistance and hence recommend to no longer use it. Cryptographers can't predict the future (so don't look for papers doing just that), but they can recommend reasonable precautions against potential attacks. Recommending not to use MD5 anymore is one such reasonable precaution.
这篇关于是否有任何已发表的研究表明,MD5的前景攻击是迫在眉睫的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
