Comments on: Why I Hate MD5 or: How I Learned to Start Worrying and Hate the Misconceptions http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/ My life unfolding and being told online - 1 byte of information at a time. Mon, 23 Apr 2012 12:36:00 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Miragi http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/comment-page-1/#comment-16310 Miragi Wed, 15 Jul 2009 00:46:57 +0000 http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/#comment-16310 MD5 isn't what it's all cracked up to be....IMHO MD5 isn't what it's all cracked up to be….IMHO

]]> By: Miragi http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/comment-page-1/#comment-16928 Miragi Wed, 15 Jul 2009 00:46:00 +0000 http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/#comment-16928 MD5 isn't what it's all cracked up to be....IMHO MD5 isn’t what it’s all cracked up to be….IMHO

]]> By: creeva http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/comment-page-1/#comment-17026 creeva Tue, 06 Jan 2009 01:01:00 +0000 http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/#comment-17026 btw the script I ended up writing with md5 did use some file metadata so yes you are write and it does take less then 2 minutes. btw the script I ended up writing with md5 did use some file metadata so yes you are write and it does take less then 2 minutes.

]]> By: creeva http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/comment-page-1/#comment-16133 creeva Tue, 06 Jan 2009 00:02:12 +0000 http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/#comment-16133 I was just pointing out the fallacy where some people take with MD5 - I'm well aware these days not to trust it too much . It has it's flaws and I know it is difficult to spoof - but MD5 collisions caused the new SSL vulnerability issue because people put trust in it and didn't think md5 collisions would be an issue at. It was considered good enough - if you find something you consider a problem raise awareness - in security "good enough" is never good enough - the bad guys always work past it. I was just pointing out the fallacy where some people take with MD5 – I'm well aware these days not to trust it too much . It has it's flaws and I know it is difficult to spoof – but MD5 collisions caused the new SSL vulnerability issue because people put trust in it and didn't think md5 collisions would be an issue at. It was considered good enough – if you find something you consider a problem raise awareness – in security “good enough” is never good enough – the bad guys always work past it.

]]> By: grin http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/comment-page-1/#comment-16128 grin Mon, 05 Jan 2009 23:09:46 +0000 http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/#comment-16128 It takes, say, 2 minutes to write a program which actually uses file metadata (name, creation and modification date, or even inode data [position on the disk]) for generating hashes, be it md5 (which in fact harder to spoof than you suggest) or some other algos (sha2 comes to mind). Takes half an hour if you want it a bit faster. :-)<br><br>But your problem is that you fail to know the goal of the method you use: it's for detecting changes in the files (or, actually, the falsification of the data) and not to have a hash unique to the (actually any random) file. Downloaders aren't intersted whether the file is called "kernel-latest.tar.bz2" or "linux-2.6.31rc2.tar.bz2" as long as it's the same.<br><br>Actual security tools (like tripwire, integrit, etc) use file metadata hashing as well, so they detect not just data or filename change, but moving the file or having it changed by any unknown means (which changes, say, inode numbers).<br><br>Use tools what they're for. Don't try to screw in a screw with a sledgehammer. ;-) It takes, say, 2 minutes to write a program which actually uses file metadata (name, creation and modification date, or even inode data [position on the disk]) for generating hashes, be it md5 (which in fact harder to spoof than you suggest) or some other algos (sha2 comes to mind). Takes half an hour if you want it a bit faster. :-)

But your problem is that you fail to know the goal of the method you use: it's for detecting changes in the files (or, actually, the falsification of the data) and not to have a hash unique to the (actually any random) file. Downloaders aren't intersted whether the file is called “kernel-latest.tar.bz2″ or “linux-2.6.31rc2.tar.bz2″ as long as it's the same.

Actual security tools (like tripwire, integrit, etc) use file metadata hashing as well, so they detect not just data or filename change, but moving the file or having it changed by any unknown means (which changes, say, inode numbers).

Use tools what they're for. Don't try to screw in a screw with a sledgehammer. ;-)

]]> By: creeva http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/comment-page-1/#comment-15939 creeva Sat, 06 Sep 2008 16:55:57 +0000 http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/#comment-15939 Well there was alot of people ignorant like me - so i thought the misconception title was best. But yes i hate the fact it ignores the file name Well there was alot of people ignorant like me – so i thought the misconception title was best. But yes i hate the fact it ignores the file name

]]> By: fung-li http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/comment-page-1/#comment-15937 fung-li Fri, 05 Sep 2008 10:05:29 +0000 http://creeva.com/2008/01/24/why-i-hate-md5-or-how-i-learned-to-start-worrying-and-hate-the-misconceptions/#comment-15937 there is a difference between md5 and the common practice to use only the contents of a file as input. i guess this is because the tool md5sum takes a filename as argument, which is like a shortcut of "cat file | md5sum". you could echo the filename and its contents and pipe it into md5sum, you would have it.<br><br>so the better title would be "why i hate the practice of only using file-contents as input for md5 hashes and not taking the filename itself into account" there is a difference between md5 and the common practice to use only the contents of a file as input. i guess this is because the tool md5sum takes a filename as argument, which is like a shortcut of “cat file | md5sum”. you could echo the filename and its contents and pipe it into md5sum, you would have it.

so the better title would be “why i hate the practice of only using file-contents as input for md5 hashes and not taking the filename itself into account”

]]>