Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

MD5 COLLISIONS: REAL PROBLEM OR RED HERRING?

January 9, 2009

Among the computer forensics crowd, or those who follow the field, the subject of MD5 collisions always brings folks to a fever pitch, with some insisting that these collisions are a real problem and others saying, basically, "pish posh."

John is pretty much in the "pish posh" camp, at least until there is a real world example of an MD5 collision that isn't artificially engineered.

One of our friends, an EDD consultant but not a computer forensics technologist, wrote us to alert us to a brouhaha on the litsupport listserv about whether these MD5 collisions are something to worry about in the real world.

So, here is John's two cents:

"Yes, I have been following the discussion on the litsupport list . . . it is entertaining to see the theoretical bantering! Granted there have been some thoughtful responses, but I think most folks are missing the practical point.

Nobody is disputing that the MD5 collission is possible or that SSL certificate validation can be compromised. These things were demonstrated and documented years ago. Here's the main question: Is it possible to have two different (and actually usable files) containing different contents with the same MD5 hash value? My response is that anything is possible given enough time and money. But is it probable? I say no. Even those that have demonstrated the "vulnerability" call it a proof of concept."

Might things evolve one day to the point where we have to take another look at this? Sure. But for now, consider that it is possible for you to buy lottery tickets in all the states that offer them (through your many minions of course) and to win every one of those lotteries in a single week. Possible yes. Probable? If I thought it were even remotely possible, I'd be marshaling my minions right now!

For the moment, John and I concur that MD5 collisions make for lively conversation, but you're not likely to see one in the wild anytime soon.

E-mail: Phone: 703-359-0700

http://twitter.com/sharonnelsonesq

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

MD5 COLLISIONS: REAL PROBLEM OR RED HERRING?

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer