Hashing of usernames in syslog
David T. Ashley
dtashley at esrg.org
Mon Sep 30 19:02:36 UTC 2002
> -----Original Message-----
> From: inn-workers-bounce at isc.org [mailto:inn-workers-bounce at isc.org]On
> Behalf Of Forrest J. Cavalier III
> Sent: Monday, September 30, 2002 9:26 AM
> To: inn-workers at isc.org
> Cc: forrest at mibsoftware.com
> Subject: RE: Hashing of usernames in syslog
> > I want to see papers
> > which point out vulnerabilities in MD5.
>
> Seems like you didn't even try to look. The google.com search terms
> you want are
> md5 Hans Dobbertin
>
> You could have arrived at that yourself by searching
> md5 broken
>
> (You seem to know more about encryption and security than
> I do, so I'd be interested in knowing what you thought
> of the paper.)
Hi Forrest,
The information on the web, using the search terms you suggested, seems to
be difficult to evaluate. I did review what Hr. Hans Dobbertin had written.
The trouble is that the attack Hr. Dobbertin mounted is an attack on a
modified MD5. What he was able to do is a warning sign about MD5, but still
nobody seems to have a concrete procedure out there for violating the
executive summary of MD5.
Specifically, nobody seems to be able to mount the following attack:
a)Given an MD5 message digest,
b)Find a message which has this same message digest in less than on average
2^{127} operations, OR
c)Glean some useful information about the message (identify some constraints
on the message based on its MD5 or place the message in a set which is
substantially smaller than the number of random bit patterns).
So, the things I've found are "warning signs" of weakness and not actual
practical attacks.
I can't evaluate the significance.
If there were a practical attack, the significance would be clear. However,
it isn't easy to extrapolate an attack on a modified version.
Well, all I can say is that using SHSH1 (did I spell that right?) seems more
secure, since no warning signs have been found. No smoke. No fire.
Best regards, Dave.
More information about the inn-workers
mailing list