[DBWG] MD5 Algorithm
Michel ODOU
michel.odou at afrinic.net
Tue Mar 5 05:46:04 UTC 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Fri, 1 Mar 2019 07:49:13 -0800
COMPSUDEV Cameroon <compsudev at gmail.com> wrote:
> The *MD5 algorithm* is a widely used hash function producing a
> 128-bit hash value. Although MD5 was initially designed to be used as
> a cryptographic hash function, it has been found to suffer from
> extensive vulnerabilities. It can still be used as a checksum to
> verify data integrity, but only against unintentional corruption. It
> remains suitable for other non-cryptographic purposes, for example
> for determining the partition for a particular key in a partitioned
> database.
>
> One basic requirement of any cryptographic hash function is that it
> should be computationally infeasible to find two distinct messages
> which hash to the same value. MD5 fails this requirement
> catastrophically; such collisions can be found in seconds on an
> ordinary home computer. The weaknesses of MD5 have been exploited in
> the field, most infamously by the Flame malware in 2012. The CMU
> Software Engineering Institute considers MD5 essentially
> "cryptographically broken and unsuitable for further use"
>
> MD5 processes a variable-length message into a fixed-length output of
> 128 bits. The input message is broken up into chunks of 512-bit
> blocks (sixteen 32-bit words); the message is padded so that its
> length is divisible by 512. The padding works as follows: first a
> single bit, 1, is appended to the end of the message. This is
> followed by as many zeros as are required to bring the length of the
> message up to 64 bits fewer than a multiple of 512. The remaining
> bits are filled up with 64 bits representing the length of the
> original message, modulo 264
>
> The security of the MD5 hash function is severely compromised. A
> collision attack exists that can find collisions within seconds on a
> computer with a 2.6 GHz Pentium 4 processor (complexity of 224.1).
> Further, there is also a chosen-prefix collision attack that can
> produce a collision for two inputs with specified prefixes within
> hours, using off-the-shelf computing hardware (complexity 239).The
> ability to find collisions has been greatly aided by the use of
> off-the-shelf GPUs. On an NVIDIA GeForce 8400GS graphics processor,
> 16–18 million hashes per second can be computed. An NVIDIA GeForce
> 8800 Ultra can calculate more than 200 million hashes per second.
> These hash and collision attacks have been demonstrated in the public
> in various situations, including colliding document files and digital
> certificates. As of 2015, MD5 was demonstrated to be still quite
> widely used, most notably by security research and antivirus
> companies.
>
Hello,
Thank you for the information.
Please note that a proposal was made on November 2016 [1] to deprecate
old password hashing methods in AFRINIC WHOIS. This was later put on
production [2] and as from September 2017, we have deprecated MD5 and
CRYPT passwords.
Weak authentication methods (MD5-PW and CRYPT-PW) can still be used to
authenticate maintainers but the only way to add or update a
maintainer's password is to use BCRYPT-PW.
You will find more information about this as well as a bcrypt
password hash utility on AFRINIC website [3].
Regards,
Michel
[1]https://lists.afrinic.net/pipermail/dbwg/2016-November/000005.html
[2]https://lists.afrinic.net/pipermail/dbwg/2017-August/000029.html
[3]https://afrinic.net/whois/utilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEHqsXLuDTF+kX8/nX2zH0bSe8edoFAlx+DRwACgkQ2zH0bSe8
edq6sw//T02pghyIRcC29pMKrqY+C3GioZLfzc1UG3uZ2repeYmxxSdnxnTVmYVB
gaCQY8bVtQQKvHbf3OlHOnSZE32Y5w6/F+AlNs2aggZcZraJ1Q8OVTR0zZeQm0uZ
fp19GDj0+t7HsOuk97e95ISHTYYbY5qr2NvZJQuPDXz/A33IxDxP5vz/ILGL8mKD
hTVqMQScuY9LS6uuc4KVnJBmpmVWtYIOtl25od9BH0EI1+++1E/URsimnrwFJvVu
DrBLKjyFn1jmlPFbNzgbzwkMguKh6JU0jvBOQtDepNFRBpjIL7ozCQTsJ++tRqKQ
8V5GvlCTTQu5ui/LjITI0f5onyIYK0meXR7RhiZ+aXack9FLYVw2mLN8S2L42yZj
+v70gtfZCEoHUR/3+JwoKbMNiGBKDAjXZ9NMBySqLR+WaFPPfaTE0GNJEtrIKUiI
L1MfOZjMuksn00ePRE4LgxUCfbmfWc/rKyc6XRzqVquxlt83HEVwaFRAB8JAEMYu
fZ1hquelK34AxYj/ebHRzOEdth/V4AKWySLi/TT6OQN1zLoc3423RF9SymEZFN3d
ZEhd23W8LKTUIiMjhQl+2pJx9tHgB6V+NUUTbRUB//bqnX7fT1tt963vxZCcyvfg
XXjBnnMvUBcZdIR6wBR+nXlKhfRoG1ZptuxlCdXNbtUXC3YtzHw=
=7HGt
-----END PGP SIGNATURE-----
More information about the DBWG
mailing list