According to a report from security researcher Dan Kaminsky, the MD5
algorithm may be at risk. This means that
files, applications and programs supposedly authenticated and verified by MD5 could
potentially be compromised.
In a research paper titled, “MD5 To Be Considered Harmful Some Day,”
Kaminsky expanded on the theoretical work done by Chinese security
researchers Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu on “Collisions
for MD5 Hash Functions.” Kaminsky released a tool Stripwire to demonstrate some
of the attacks he describes.
A hash
outputs from a hash function. That situation may lead to an algorithm that is not
considered to be cryptographically secure and can be attacked. In August, French research
Antoine Joux presented an unpublished paper at the Crypto 2004 show similar to the
original Chinese research that Kaminsky expanded upon.
At the time
the disclosure prompted data storage giant EMC to allay its customers that the MD5
algorithm it uses is enhanced and buried in the platform and that it was virtually
unexploitable.
“Some people have said there’s no applied implications to Joux and Wang’s research,”
Kaminsky wrote. “They’re wrong; arbitrary payloads can be successfully integrated into
a hash collision.”
MD5 hashes are widely used today on countless file servers and P2P networks, as well as a
way to guarantee file integrity. According to Kaminsky, this makes them blind to any
signature embedded within MD5 collisions.
“This is an excellent vector for malicious developers to get unsafe code past a group
of auditors, perhaps to acquire a required third-party signature,” Kaminsky wrote.
“Alternatively, build tools themselves could be compromised to embed safe versions of
dangerous payloads in each build. At some later point, the embedded payload could be
safely ‘activated’ without the MD5 changing.”
Kaminsky also noted that Digital Signature systems are also potentially vulnerable, as
they usually do not sign the data itself but rather a hashed representation of the data.
Passwords are also often saved on *nix (UNIX/Linux) systems with MD5, though Kaminsky noted
that such passwords really aren’t at all vulnerable to the MD5 attack.
Despite the analysis and proofs proposed by Kaminsky, he does admit that the attacks
discovered are obscure.
“The attacks are not wildly practical, and in most cases exposure remains thankfully
limited for now,” Kaminsky wrote. “But the risks are real enough that responsible
engineers should take note. This is not merely an academic threat; systems designed
with MD5 now need to take far more care than they would if they were employing an unbroken
hashing algorithm, and the problems are only going to get worse.”
In 1991, MD4 was shown to have weaknesses, which its successor MD5 was supposed to
have corrected. As early as 1996 though, the first inklings of weakness in MD5 were
exposed by Hans Dobbertin who was same researcher that discovered the
weakness in MD4.
