MD5 Flaw Threatens File IntegrityMarch 8, 2008 – 3:49 PM
According to a report from security researcher Dan Kaminsky, the MD5 cryptographic algorithm may be at risk. This means that files, applications and programs supposedly authenticated and verified by MD5 could potentially be compromised.
In a research paper titled, “MD5 To Be Considered Harmful Some Day,” Kaminsky expanded on the theoretical work done by Chinese security researchers Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu on “Collisions for MD5 Hash Functions.” Kaminsky released a tool Stripwire to demonstrate some of the attacks he describes.
A hash collision essentially means that you could have two identical outputs from a hash function. That situation may lead to an algorithm that is not considered to be cryptographically secure and can be attacked. In August, French research Antoine Joux presented an unpublished paper at the Crypto 2004 show similar to the original Chinese research that Kaminsky expanded upon.
At the time the disclosure prompted data storage giant EMC to allay its customers that the MD5 algorithm it uses is enhanced and buried in the platform and that it was virtually unexploitable.
“Some people have said there’s no applied implications to Joux and Wang’s research,” Kaminsky wrote. “They’re wrong; arbitrary payloads can be successfully integrated into a hash collision.”
MD5 hashes are widely used today on countless file servers and P2P networks, as well as a way to guarantee file integrity. According to Kaminsky, this makes them blind to any signature embedded within MD5 collisions.
“This is an excellent vector for malicious developers to get unsafe code past a group of auditors, perhaps to acquire a required third-party signature,” Kaminsky wrote. “Alternatively, build tools themselves could be compromised to embed safe versions of dangerous payloads in each build. At some later point, the embedded payload could be safely ‘activated’ without the MD5 changing.”
Kaminsky also noted that Digital Signature systems are also potentially vulnerable, as they usually do not sign the data itself but rather a hashed representation of the data. Passwords are also often saved on *nix (UNIX/Linux) systems with MD5, though Kaminsky noted that such passwords really aren’t at all vulnerable to the MD5 attack.
Despite the analysis and proofs proposed by Kaminsky, he does admit that the attacks discovered are obscure.
“The attacks are not wildly practical, and in most cases exposure remains thankfully limited for now,” Kaminsky wrote. “But the risks are real enough that responsible engineers should take note. This is not merely an academic threat; systems designed with MD5 now need to take far more care than they would if they were employing an unbroken hashing algorithm, and the problems are only going to get worse.”
In 1991, MD4 was shown to have weaknesses, which its successor MD5 was supposed to have corrected. As early as 1996 though, the first inklings of weakness in MD5 were exposed by Hans Dobbertin who was same researcher that discovered the weakness in MD4.