-
December 2nd, 2007, 06:35 AM
#11
Junior Member
Originally Posted by oofki
Ive heard the same thing ildjarn but i think that was just a rumor i dont think it was confirmed. As far as Md5 it is a great algo but since rainbow tables were introduced it is not as secure. Same with any hash really rainbow tables can be made which can make the stored password useless if the hash is obtained.
Edit: I looked into that chinese thing and I think all they found is a way to produce md5 collisions which is not really a big deal any irreversible algo has collisions afaik..
Any hashing function that returns a fixed size string, will of course have collisions, finite amount of output, infinate amounts of input. It is the strength of the function that will make it difficult to find these collisions and to limit the number the best it can, however when you can start to predict these collisions it is safe to say the hash has been broken, go look at linux distro download sites, what do they use to validate a valid iso? md5, now that we can predict collisions we can theortically create 2 isos with the same hash, but very different data, lets say a logging method attached to the pam modules? It is also not just isos many applications use md5 to ensure the validity of their binaries, and what of tripwire, can we trust it anymore? While im sure a preimage attack is a long way off, as i said in my previous post, seeing a cell processor churn out 1.8 billion hashes a second, md5 is as good as broken(well in mine and many other security experts eyes).
-
December 2nd, 2007, 11:23 AM
#12
Hi
Good contribution, ildjarn. I haven't seen before that you mentioned
preimage attacks, but excellent that you did so now! Salting is a simple
and effective method to render rainbow tables useless - Rainbow tables
have no style anyway (except the storage method!)
Quite a while ago, we did discuss the compromise of MD5[1,2] and
SHA-1[3,4,5] on this site. There are references to the original articles,
and to papers of some PoC-like studies. It is all dated, of course.
I have to admit that I have not looked into it since a year, but:
Although the research papers are genuine and should to be taken
seriously, nothing spectacular happened the last 3 years (well, we
may ask the chinese or american government ) as far as I know.
I am happy to be corrected.
Cheers
P.s. As a side note: the references to antionline-articles in the
posts below are not usable anymore (since Jupitermedia changed
the 'layout' of this site a while ago).
[1] http://antionline.com/showthread.php?t=269146
[2] http://antionline.com/showthread.php?t=261884
[3] http://antionline.com/showthread.php?t=263481
[4] http://antionline.com/showthread.php?t=267248
[5] http://antionline.com/showthread.php?t=273285
Cheers
Last edited by sec_ware; December 2nd, 2007 at 11:34 AM.
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
December 2nd, 2007, 11:56 AM
#13
P.s. As a side note: the references to antionline-articles in the
posts below are not usable anymore (since Jupitermedia changed
the 'layout' of this site a while ago).
Old cross-references don't work, external links have vanished and attachments disappeared. Also, polls don't attach to their original threads.
This was a problem of updating to a newer version of vBulletin from a very old bastardised version. The natural progression of updates had been broken and the new version uses a different indexing system.
It has absolutely nothing to do with the layout, just the underlying software.
-
December 2nd, 2007, 02:46 PM
#14
Junior Member
Originally Posted by sec_ware
Hi
Good contribution, ildjarn. I haven't seen before that you mentioned
preimage attacks, but excellent that you did so now! Salting is a simple
and effective method to render rainbow tables useless - Rainbow tables
have no style anyway (except the storage method!)
Eh some friends of mine put alot of effort into writing a super fast rainbow table some of the code in there was pretty fancy massive list of hashes, and amazing return speeds, but thats neither here or there.
As you and i both mentioned before salting helps greatly especially if you use per user salts rather than program/site wide salts, but still not 100%.
Originally Posted by sec_ware
Heh was going to link you to an article on sha-1 and when i opened my browser to grab the url i noticed this on the slashdot rss which is an article on what i was talking about before, using a new method that the same group researched on the origional prof. collision research.
http://www.win.tue.nl/hashclash/SoftIntCodeSign/
That article links to another article on sha-1 that is an interesting read, eh with the decressing costs of both processing power and storage, i honestly cant see why we cant step up to something like sha-256(i know the US government requires it for some applications dealing with sensitive data) microsoft is also pushing it for its use
http://www.eweek.com/article2/0,1759,1859751,00.asp
Despite a preimage attack on any of the above mentioned hashes. For digital signatures of binary, with the ability to generate collisions for md5, and with enough time(the amount of time is dropping) the same for sha-1. The nails are fairly secure in the coffin for these hashes.
-
December 4th, 2007, 09:31 PM
#15
if the cell cpus on a ps3 can put out 1.8 billion hashes a second how is that relative to say a 3 ghz dualcore?
Similar Threads
-
By encipher in forum Cryptography, Steganography, etc.
Replies: 0
Last Post: April 11th, 2007, 02:25 AM
-
By Overlord_77520 in forum Cryptography, Steganography, etc.
Replies: 2
Last Post: September 2nd, 2005, 11:59 PM
-
By BUDsmoker in forum Cryptography, Steganography, etc.
Replies: 4
Last Post: May 8th, 2005, 07:52 PM
-
By kruptos in forum The Security Tutorials Forum
Replies: 0
Last Post: January 29th, 2005, 01:01 AM
-
By nirvanainheaven in forum AntiOnline's General Chit Chat
Replies: 1
Last Post: March 24th, 2003, 04:51 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|