MD5 是否不如 SHA 等安全?阿尔.在实际意义上? [英] Is MD5 less secure than SHA et. al. in a practical sense?
问题描述
我见过 a
I've seen a few questions and answers on SO suggesting that MD5 is less secure than something like SHA.
我的问题是,在我的情况下这值得担心吗?
这是我如何使用它的示例:
Here's an example of how I'm using it:
- 在客户端,我通过附加当前时间和密码,然后使用 MD5 对其进行散列来为消息提供安全"校验和.所以:
MD5(message+time+password). - 在服务器端,我使用我对消息发送时间和客户端密码的了解,对照所发送的消息检查该哈希值.
在这个例子中,我真的最好使用 SHA 而不是 MD5 吗?
在什么情况下散列函数的选择真正在实际意义上很重要?
In what circumstances would the choice of hashing function really matter in a practical sense?
只是为了澄清 - 在我的例子中,迁移到 SHA 算法有什么好处吗?
Just to clarify - in my example, is there any benefit moving to an SHA algorithm?
换句话说,在这个例子中,某人在不知道共享密码的情况下发送消息和正确的哈希值是否可行?
In other words, is it feasible in this example for someone to send a message and a correct hash without knowing the shared password?
更多修改:
为重复编辑道歉 - 我不清楚我在问什么.
Apologies for repeated editing - I wasn't being clear with what I was asking.
推荐答案
是的,在实践中值得担心.MD5 被严重破坏,以至于研究人员已经能够伪造伪造证书匹配由证书颁发机构签署的真实证书.这意味着他们能够创建自己的虚假证书颁发机构,从而可以在浏览器完全信任他们的情况下冒充他们喜欢的任何银行或企业.
Yes, it is worth worrying about in practice. MD5 is so badly broken that researchers have been able to forge fake certificates that matched a real certificate signed by a certificate authority. This meant that they were able to create their own fake certificate authority, and thus could impersonate any bank or business they felt like with browsers completely trusting them.
现在,他们使用一组 PlayStation 3 花费了大量时间和精力,并花费了数周时间来找到合适的碰撞.但是一旦被破坏,哈希算法只会变得更糟,永远不会更好.如果您完全关心安全性,最好选择一个完整的哈希算法,例如 之一SHA-2 家族(SHA-1 也被削弱了,虽然没有像 MD5 那样严重).
Now, this took them a lot of time and effort using a cluster of PlayStation 3s, and several weeks to find an appropriate collision. But once broken, a hash algorithm only gets worse, never better. If you care at all about security, it would be better to choose an unbroken hash algorithm, such as one of the SHA-2 family (SHA-1 has also been weakened, though not broken as badly as MD5 is).
编辑:我提供给您的链接中使用的技术涉及能够选择两个任意消息前缀和一个公共后缀,从中它可以为每个前缀生成一个数据块,可以插入在该前缀和公共后缀之间,以生成与从另一个前缀构造的消息具有相同 MD5 和的消息.我想不出在您描述的情况下可以利用此特定漏洞的方法,并且一般来说,使用 消息身份验证 比将其用于数字签名更能抵抗攻击,但我可以想到一些您需要注意的漏洞,这些漏洞大多与您选择的哈希无关.
edit: The technique used in the link that I provided you involved being able to choose two arbitrary message prefixes and a common suffix, from which it could generate for each prefix a block of data that could be inserted between that prefix and the common suffix, to produce a message with the same MD5 sum as the message constructed from the other prefix. I cannot think of a way in which this particular vulnerability could be exploited in the situation you describe, and in general, using a secure has for message authentication is more resistant to attack than using it for digital signatures, but I can think of a few vulnerabilities you need to watch out for, which are mostly independent of the hash you choose.
如上所述,您的算法涉及将密码以纯文本形式存储在服务器上.这意味着您很容易受到任何能够在服务器上发现密码的信息泄露攻击.您可能认为,如果攻击者可以访问您的数据库,那么游戏就开始了,但即使您的服务器遭到入侵,您的用户也可能希望他们的密码不被入侵.由于在线密码的激增,许多用户跨服务使用相同或相似的密码.此外,即使在代码执行或权限提升攻击不存在的情况下,信息泄露攻击也是可能的.
As described, your algorithm involves storing the password in plain text on the server. This means that you are vulnerable to any information disclosure attacks that may be able to discover passwords on the server. You may think that if an attacker can access your database then the game is up, but your users would probably prefer if even if your server is compromised, that their passwords not be. Because of the proliferation of passwords online, many users use the same or similar passwords across services. Furthermore, information disclosure attacks may be possible even in cases when code execution or privilege escalation attacks are not.
您可以通过将密码存储在用随机盐散列的服务器上来减轻这种攻击;您将 hash(password+salt)code> 用于代替您提到的协议中的密码.然而,这并不能保护您免受下一次攻击.
You can mitigate this attack by storing the password on your server hashed with a random salt; you store the pair <salt,hash(password+salt)> on the server, and send the salt to the client so that it can compute hash(password+salt) to use in place of the password in the protocol you mention. This does not protect you from the next attack, however.
如果攻击者可以嗅探从客户端发送的消息,他就可以对客户端的密码进行离线字典攻击.大多数用户的密码具有相当低的熵,而一个包含数十万个现有密码的字典加上一些时间随机排列它们可以让攻击者根据嗅探消息获得的信息轻松找到密码.
If an attacker can sniff a message sent from the client, he can do an offline dictionary attack against the client's password. Most users have passwords with fairly low entropy, and a good dictionary of a few hundred thousand existing passwords plus some time randomly permuting them could make finding a password given the information an attacker has from sniffing a message pretty easy.
您提出的技术不会对服务器进行身份验证.我不知道这是否是您在谈论的网络应用程序,但如果是,那么可以在不安全的无线网络上执行 DNS 劫持攻击或 DHCP 劫持或任何类型的人都可以做一种中间人攻击,他们从您的客户处以明文形式收集密码.
The technique you propose does not authenticate the server. I don't know if this is a web app that you are talking about, but if it is, then someone who can perform a DNS hijack attack, or DHCP hijacking on an unsecure wireless network, or anything of the sort, can just do a man-in-the-middle attack in which they collect passwords in clear text from your clients.
虽然目前针对 MD5 的攻击可能不适用于您描述的协议,但 MD5 已被严重破坏,哈希值只会变弱,永远不会变强.您是否想打赌您会发现可能对您使用的新攻击,并且在您的攻击者有机会利用它之前有时间升级哈希算法?从目前比 MD5 更强大的东西开始可能会更容易,以减少您不得不处理 MD5 被进一步破坏的机会.
While the current attack against MD5 may not work against the protocol you describe, MD5 has been severely compromised, and a hash will only ever get weaker, never stronger. Do you want to bet that you will find out about new attacks that could be used against you and will have time to upgrade hash algorithms before your attackers have a chance to exploit it? It would probably be easier to start with something that is currently stronger than MD5, to reduce your chances of having to deal with MD5 being broken further.
现在,如果您这样做只是为了确保没有人在论坛或其他地方伪造来自其他用户的消息,那么当然,任何人都不太可能花时间和精力来破坏您描述的协议.如果有人真的想冒充其他人,他们可能只需要创建一个新的用户名,用 0 代替 O 或使用 Unicode 甚至更相似的东西,甚至不必费心尝试伪造消息和破坏哈希算法.
Now, if you're just doing this to make sure no one forges a message from another user on a forum or something, then sure, it's unlikely that anyone will put the time and effort in to break the protocol that you described. If someone really wanted to impersonate someone else, they could probably just create a new user name that has a 0 in place of a O or something even more similar using Unicode, and not even bother with trying to forge message and break hash algorithms.
如果这是用于安全性真正重要的事情,那么不要发明自己的身份验证系统.只需使用 TLS/SSL.密码学的基本规则之一是不要自己发明.然后,即使在论坛的情况下,它可能并不那么重要,使用现成的东西比使用自己的东西更容易吗?
If this is being used for something where the security really matters, then don't invent your own authentication system. Just use TLS/SSL. One of the fundamental rules of cryptography is not to invent your own. And then even for the case of the forum where it probably doesn't matter all that much, won't it be easier to just use something that's proven off the shelf than rolling your own?
这篇关于MD5 是否不如 SHA 等安全?阿尔.在实际意义上?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
