So, is the MD5 weakness a real world problem or not?

Standard

My last posting – made in a hurry while I was waiting for a large SCP transfer to complete – has generated more traffic than anything else in the last month: possibly because it was mildly topical and largely because it was retweeted by John Rentoul, one of the UK’s leading political commentators and all-round good egg.

Maybe I was being a bit naive with it – because I took what the New Scientist said the US Department of Homeland Security said about the MD5 hashing algorithm – in short, it is completely broken and should not be used – and LulzSec’s claim to have cracked the Sun’s MD5 based password system and drew what I thought was the obvious conclusion – that an MD5 crack was in some way related to LulzSec’s attack on the Sun’s website on last Monday night.

But at least one person who ought to know more about this than me – forensic investigator Jonathan Krause – has taken issue with it and indeed with the whole idea that MD5 is a major security risk:

https://twitter.com/#!/JonathanKrause/status/95176137835163648

https://twitter.com/#!/JonathanKrause/status/95176336959733760

https://twitter.com/#!/JonathanKrause/status/95193690808655872

I have to admit I find this all a bit puzzling, as the web is full of stories like “brute force algorithm can crack 1.5 million MD5 hashes per second” and so on, as well as even some sites that allow you to look up previously brute forced hashes. (Of course 1.5 million per second is not a lot in a key space of 2^{128}.)

Yet on the other hand I can also find no concrete example (the disputed LulzSec crack at the Sun excepted) where someone is claiming to have made a practical use of an MD5 crack.

2 thoughts on “So, is the MD5 weakness a real world problem or not?

  1. Pingback: A further thought on MD5 | cartesian product

  2. I haven’t read the full New Scientist article. It’s behind their paywall and subscribing just now generated “Your order will be processed as soon as possible by our sales team.” Lame. But…

    I’m guessing what happened here involved rainbow tables. Reversing an MD5 hash is computationally intensive, but the computation can be done in advance. A rainbow table is simple a list of pre-computed hashes. If you can get the hashed password, you can just look it up in the rainbow table.

    It is my understanding that rainbow tables containing the MD5 hashes for every possible password of six or fewer characters can be found online easily enough, and there are websites that provide reverse-hash lookups as a service.

    If you search for “rainbow table md5 download” and “rainbow table md5 lookup” you’ll find all sorts of stuff.

Comments are closed.