MD5的安全性不及SHA等。人。在实际意义上？ [英] Is MD5 less secure than SHA et. al. in a practical sense?

问题描述

我见过 a 少数 问题和>答案，这表明MD5的安全性比SHA差。

我的问题是， 这在我的情况下值得担心吗？

以下是我如何使用它的示例：

1. 在客户端，我通过附加当前时间和密码为消息提供安全校验和，然后使用MD5对其进行散列处理。所以： MD5（message + time + password）。


2. 在服务器端，我正在检查这个散列，发送使用我的知识，它的时间和客户的密码。
   

在这个例子中，我真的更好使用SHA而不是MD5？

在实际意义上，哈希函数的选择真的很重要吗？

编辑：

澄清 - ，移动到SHA算法有什么好处吗？

换句话说，在这个例子中，有人发送消息和正确的哈希是可行的无需知道共享密码？

更多编辑： 重复编辑的道歉 - 我不清楚我在问什么。

是的，值得担心的是实践。 MD5非常糟糕，以至于研究人员已经能够伪造与之相匹配的假证书证书颁发机构签署的真实证书。这意味着他们能够创建自己的假证书授权机构，从而可以通过完全信任他们的浏览器模拟任何他们感兴趣的银行或业务。

现在，他们花费了大量的时间和精力使用一系列PlayStation 3，并花了几个星期才找到适当的碰撞。但是一旦破碎，散列算法只会变得更糟，从来没有更好。如果你关心安全性，最好选择一个完整的散列算法，比如 SHA -2家族（SHA-1也被削弱，尽管没有像MD5那样严重破坏）。

编辑：在我提供的链接中使用的技术可以选择两个任意的消息前缀和一个公共后缀，从中可以为每个前缀生成一个可以在该前缀和公共后缀之间插入的数据块，以生成与从其他前缀构造的消息具有相同MD5和的消息。我无法想象在你描述的情况下这种特殊的漏洞可以被利用的方式，并且一般来说，使用一个安全的漏洞可以用于消息身份验证比用于数字签名更具抗攻击性，但我可以考虑一些需要注意的漏洞，这些漏洞大多独立于您选择的散列。

1. 如上所述，您的算法涉及在服务器上以纯文本格式存储密码。这意味着您很容易受到任何可能能够发现服务器密码的信息泄露攻击。你可能会认为，如果攻击者可以访问你的数据库，那么游戏就结束了，但是如果你的服务器被攻陷，你的用户可能会更喜欢他们的密码。由于在线密码的激增，许多用户在服务中使用相同或类似的密码。此外，即使在代码执行或特权升级攻击不成功的情况下，信息泄露攻击也是可能的。您可以通过将服务器上的密码存储到散列表中来缓解此攻击随机盐;您将服务器上的< salt，hash（密码+盐）> 对存储并将salt发送到客户端，以便它可以计算散列（密码+盐）来代替您提到的协议中的密码。然而，这并不能保护你免受下一次攻击。

如果攻击者可以嗅探客户端发送的消息，他可以对其进行离线字典攻击客户的密码。大多数用户的密码熵相当低，并且一个好几十万个现有密码的字典以及随机排列的一些时间字典可以使得找到一个密码，因为攻击者通过嗅探信息很容易找到密码。
li>


2. 您建议的技术不验证服务器。我不知道这是否是一个您正在讨论的Web应用程序，但如果是这样，那么可以执行DNS劫持攻击或在不安全的无线网络上进行DHCP劫持的任何人或其他任何人都可以一个中间人攻击，他们以明文形式从您的客户那里收集密码。

当前针对MD5的攻击可能不适用于你所描述的协议，MD5已经受到严重影响，散列只会变得更弱，从来没有更强。你想打赌你会发现新的攻击可能会被用来对付你，并且有时间在你的攻击者有机会利用它之前升级哈希算法？从现在比MD5更强的东西开始，可能会更容易，以减少处理MD5被进一步破坏的可能性。


现在，如果您只是这样做以确保没有人伪造来自论坛上的其他用户的消息或其他内容，那么肯定的是，任何人都不会花时间和精力来打破你描述的协议。如果有人真的想冒充别人，他们可能只是创建一个新的用户名，其中有一个0代替O或者更类似于使用Unicode的用户名，甚至不会试图伪造消息和破坏哈希算法。 / p>



如果这被用于安全真正重要的事情，那么不要发明自己的认证系统。只需使用 TLS / SSL 。密码学的基本规则之一是不要发明自己的。然后，即使对于论坛而言，它可能并不重要，使用现成的产品比自己的产品更容易吗？




I've seen a few questions and answers on SO suggesting that MD5 is less secure than something like SHA.

My question is, Is this worth worrying about in my situation?

Here's an example of how I'm using it:

1. On the client side, I'm providing a "secure" checksum for a message by appending the current time and a password and then hashing it using MD5. So: MD5(message+time+password).
2. On the server side, I'm checking this hash against the message that's sent using my knowledge of the time it was sent and the client's password.

In this example, am I really better off using SHA instead of MD5?

In what circumstances would the choice of hashing function really matter in a practical sense?

Edit:

Just to clarify - in my example, is there any benefit moving to an SHA algorithm?

In other words, is it feasible in this example for someone to send a message and a correct hash without knowing the shared password?

More Edits:

Apologies for repeated editing - I wasn't being clear with what I was asking.

解决方案

Yes, it is worth worrying about in practice. MD5 is so badly broken that researchers have been able to forge fake certificates that matched a real certificate signed by a certificate authority. This meant that they were able to create their own fake certificate authority, and thus could impersonate any bank or business they felt like with browsers completely trusting them.

Now, this took them a lot of time and effort using a cluster of PlayStation 3s, and several weeks to find an appropriate collision. But once broken, a hash algorithm only gets worse, never better. If you care at all about security, it would be better to choose an unbroken hash algorithm, such as one of the SHA-2 family (SHA-1 has also been weakened, though not broken as badly as MD5 is).

edit: The technique used in the link that I provided you involved being able to choose two arbitrary message prefixes and a common suffix, from which it could generate for each prefix a block of data that could be inserted between that prefix and the common suffix, to produce a message with the same MD5 sum as the message constructed from the other prefix. I cannot think of a way in which this particular vulnerability could be exploited in the situation you describe, and in general, using a secure has for message authentication is more resistant to attack than using it for digital signatures, but I can think of a few vulnerabilities you need to watch out for, which are mostly independent of the hash you choose.

1. As described, your algorithm involves storing the password in plain text on the server. This means that you are vulnerable to any information disclosure attacks that may be able to discover passwords on the server. You may think that if an attacker can access your database then the game is up, but your users would probably prefer if even if your server is compromised, that their passwords not be. Because of the proliferation of passwords online, many users use the same or similar passwords across services. Furthermore, information disclosure attacks may be possible even in cases when code execution or privilege escalation attacks are not.

   You can mitigate this attack by storing the password on your server hashed with a random salt; you store the pair <salt,hash(password+salt)> on the server, and send the salt to the client so that it can compute hash(password+salt) to use in place of the password in the protocol you mention. This does not protect you from the next attack, however.

2. If an attacker can sniff a message sent from the client, he can do an offline dictionary attack against the client's password. Most users have passwords with fairly low entropy, and a good dictionary of a few hundred thousand existing passwords plus some time randomly permuting them could make finding a password given the information an attacker has from sniffing a message pretty easy.

3. The technique you propose does not authenticate the server. I don't know if this is a web app that you are talking about, but if it is, then someone who can perform a DNS hijack attack, or DHCP hijacking on an unsecure wireless network, or anything of the sort, can just do a man-in-the-middle attack in which they collect passwords in clear text from your clients.

4. While the current attack against MD5 may not work against the protocol you describe, MD5 has been severely compromised, and a hash will only ever get weaker, never stronger. Do you want to bet that you will find out about new attacks that could be used against you and will have time to upgrade hash algorithms before your attackers have a chance to exploit it? It would probably be easier to start with something that is currently stronger than MD5, to reduce your chances of having to deal with MD5 being broken further.

Now, if you're just doing this to make sure no one forges a message from another user on a forum or something, then sure, it's unlikely that anyone will put the time and effort in to break the protocol that you described. If someone really wanted to impersonate someone else, they could probably just create a new user name that has a 0 in place of a O or something even more similar using Unicode, and not even bother with trying to forge message and break hash algorithms.

If this is being used for something where the security really matters, then don't invent your own authentication system. Just use TLS/SSL. One of the fundamental rules of cryptography is not to invent your own. And then even for the case of the forum where it probably doesn't matter all that much, won't it be easier to just use something that's proven off the shelf than rolling your own?

这篇关于MD5的安全性不及SHA等。人。在实际意义上？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！