MD5CRK project done in 48 hours!

[Unforgiven]

17 Aug 2004
A Collision in the full MD5 hash function was found by researchers in China.
Wang, Feng, Lai, and Yu published full collisions for:
MD4,
MD5,
HAVAL-128, and
RIPEMD-128 This represents on the the most substantial developments in cryptography in recent years.
Using their technique, an MD5 collision can be found in a matter or hours!!!

Here are the files you can use to verify their discovery: md5col.zip

Because of this monumental discovery, the MD5CRK project will be ending in the next 48 hours. Thank you to everyone for your help.

The entire MD5CRK database will be made available in the next 1-2 weeks. An email to the MD5CRK-Announce mailing list will be made when it is ready.

At the time of the annoucment the project was processing an average of:

3,824 Million MD5 transforms per second (MegaMD5/sec)
833,575,339,613 Floating point operations per second (FLOPS)
1,285,717,941,822 Instructions per second (IPS) The project ran for a little over 170 days.

 

[Coquito]

Now that's what I call progress.

 

[Wolfsraider]

Nice

Thank you

 

[brage]

Thanks for the info! Now there is a problem less out there... :thumbsup:

 

[BofRA]

Thanks for the info. Time to move on

 

[HayHauler]

:beer: for all involved!

Hay
C O N G R A T S ! ! ! ! !

 

[Assimilator1]

Cool!

Err ,can someone give me the quick version of what this project did?

 

[Wolfsraider]

password encryption


The aim of MD5CRK is to raise awareness in the IT industry that MD5 is not secure for many applications. We aim to disprove one of the fundamental requirements of a secure message digest: No two inputs can be found which produce the same digest - this is also known as a collision.

In cryptography, there can be no doubt in an algorithm's security. Demonstrating a counter-example to a required property in an algorithm effectively renders the algorithm insecure


from their site

now what it relates to

MD5 is an algorithm commonly used to verify the integrity of data on the internet. MD5 is a message digest or hash algorithm used to produce a fingerprint of a given piece of data. This fingerprint is often used to verify the integrity of programs, drivers, documents, passwords and digital signatures. It is vital to use a secure message digest when deploying such applications.


Examples of MD5 Digests
A very incomplete list of popular and banking websites which use the insecure MD5 algorithm to provide its customers with a secure and authentic connection:

CS Coop
PayPal
Fleet Bank
TDWaterhouse
Bank of America
Bank One
Chase Bank
City Bank
Fifth Third Bank
Huntington
JP Morgan
Washington Mutual
Wells Fargo
AM South
Nation Wide
Lloyds TSB
First Direct
Cabela
Apple
MoMA Online
Discovery Channel Store
ATI.com
Smithsonian Store
Macy's



Hop[e this helps
Mike

 

[CyGoR]

Time to move on for TAS

Thanks for the info!!

 

[amdxborg]

TA's almost in 10th!!! TAS is crunching like mad, and we should make it!!! :beer:

 

[Wolfsraider]

True

:beer:

2138 to go

Mike

 

[GLeeM]

In 10th place now!!

All credit must go to those who have crunched this project for a long time.

 

[amdxborg]

Indeed, credit should go to the long term MD5 crunchers!!! and to all the members of TAS as well! Congrats on a great 10th spot everybody! :beer:

 

[Wolfsraider]

Woot

 

[Unforgiven]

as a wise man once said..........

:beer: for you

 

[BofRA]

Congrats to all involved on a fine showing for the TeAm!!!!:beer:

 

[n0cmonkey]

Finished 48th.

In other news, SHA0 has also been broken, and SHA-1 might be a bit weaker because of it.

 

[n0cmonkey]

10 2 Team AnandTech 665 134,927 579,507 9,898
11 1 KaWo1 258 134,690 578,489 949

I didn't realize we had gotten so many users recently. Thanks, and congrats guys! :beer:

Now I wish I hadn't turned my machines off for the weekend. Oh well. Maybe SoB will get some more support, or my power bill will go down. :evil:

 

[Wolfsraider]

nOcmonkey

It was your efforts (and a few others) that inspired TAS to aid in your efforts as well as the others that could use a boost.

Thank you for the fun of joining you ...even if only for a short time

mike

 

[n0cmonkey]

Originally posted by: Wolfsraider
nOcmonkey

It was your efforts (and a few others) that inspired TAS to aid in your efforts as well as the others that could use a boost.

Thank you for the fun of joining you ...even if only for a short time

mike

The help was definitely appreciated. Someone could have let me know. I had been ignoring the stats for a while.

 

[Wolfsraider]

Sorry I assumed you had been informed we will be sure to nootify the next reciepients

thank you

Mike

 

[Assimilator1]

Thanks ,that gave me some idea anyway.
Though this didn't make any sense

message digest or hash algorithm used to produce a fingerprint of a given piece of data

 

[Wolfsraider]

Assimilator1,

A lot of programs use md5 so that when you sign in it reverts the name and/or password to a digital signature...like Michael becomes a3et6ed and it is harder to break than simply typing in the seen name


but a lot of banks and companies use this type of encryption to store credit card numbers etc... so md5crk set goals to prove it wasn't reliable enough and to raise awareness of the ease it could be broken (decoded) even using a 21 key (alpha numeric algorithm) , most only use a small number in the encryption process and by proving a 21 key was unsecure (should take much longer to crack)
they proved their point.

Will it change anything?
I hope so...credit card theft is a big problem all over the world and using unreliable means to secure it will only add to the problem

Mike

edit>
message digest or hash algorithm used to produce a fingerprint of a given piece of data

say you used

Michael D Draper

then

asc4s6j4mop09j5b

would be the fingerprint

 

[ViRGE]

Originally posted by: n0cmonkey
Finished 48th.

In other news, SHA0 has also been broken, and SHA-1 might be a bit weaker because of it.

It definitely should be interesting to see how this affects hashes. SHA-0 isn't such a big deal, since the NSA flat-out stated it had a flaw when release(hence their proposed fix resulting in SHA-1), but if SHA-1 is broken, we're in big trouble. Everything from key-exchange to BitTorrent uses SHA-1, there's a lot of evil things one could do.

 

[n0cmonkey]

Originally posted by: ViRGE

Originally posted by: n0cmonkey
Finished 48th.

In other news, SHA0 has also been broken, and SHA-1 might be a bit weaker because of it.

It definitely should be interesting to see how this affects hashes. SHA-0 isn't such a big deal, since the NSA flat-out stated it had a flaw when release(hence their proposed fix resulting in SHA-1), but if SHA-1 is broken, we're in big trouble. Everything from key-exchange to BitTorrent uses SHA-1, there's a lot of evil things one could do.

There's always SHA-256, but I'm not sure how much more processor intensive it is. Also, blowfish has a hashing algorithm. OpenBSD uses it for passwords by default.. Since twofish was developed by the same guy, maybe it also has uses in hashes.

Assimilator1:: To add to what Wolfsraider has already said, a hash is one way. You can convert your password to the hash to check its authenticity, but there should be no way to convert the hash to your password directly. md5 uses 128bit hashes, and it commonly used for passwords, authentication, and verification that files have not been tampered with. If a file is tampered with, the md5 of that file should change, but if collisions are easily obtainable, it might not be difficult to modify the file and have it show up with the same md5.