我继续阅读关于 MD5 已损坏、破产、过时且永远不会使用的信息。这让我很生气。
事实上,对 MD5 的碰撞攻击现在相当容易。有些人将碰撞攻击归结为一门艺术,甚至我们可以用它们来预测选举。
我发现大多数MD5“破碎”的例子都不那么有趣。即使是著名的 CA 证书黑客攻击也是一种碰撞攻击,这意味着可以证明该方同时生成了 GOOD 和 EVIL 证书。这意味着,如果 EVIL CA 进入野外,则可以证明它是从拥有良好 CA 的人那里泄露出来的,因此无论如何都是值得信任的。
更令人担忧的是原像或第二原像攻击。
对 MD5 进行原像攻击的可能性有多大?目前是否有任何研究表明它迫在眉睫?MD5 易受碰撞攻击这一事实是否使其更容易遭受原像攻击?
在密码学中,建议通常不是通过预测未来来做出的,因为这是不可能的。相反,密码学家试图评估已知和已发布的内容。为了适应潜在的未来攻击,密码系统通常被设计成有一定的安全余量。例如,通常选择的加密密钥比绝对必要的要长一点。出于同样的原因,一旦发现弱点,就会避免使用算法,即使这些弱点只是证明性的。
In particular, the RSA Labs recommended to abandon MD5 for signatures already in 1996 after Dobbertin found collisions in the compression function. Collisions in the compression function do not imply that collisions in the hash function exist, but we can't find collisions for MD5 unless we can find collisions for its compression function. Thus the RSA Labs decided that they no longer have confidence in MD5s collision resistance.
Today, we are in a similar situation. If we are confident that a hash function is collision resistant then we can also be confident that the hash function is preimage resistant. But MD5 has significant weaknesses. Hence many cryptographers (including people like Arjen Lenstra) think that MD5 no longer has the necessary safety margin to be used even in applications that only rely on preimage resistance and hence recommend to no longer use it. Cryptographers can't predict the future (so don't look for papers doing just that), but they can recommend reasonable precautions against potential attacks. Recommending not to use MD5 anymore is one such reasonable precaution.
我们不知道。
这种进步往往是“突然”到来的——有人在理论上取得了突破,并找到了一种比以前最好的方法好 2^10(或其他)的方法。
看起来原像攻击可能还有些遥远。最近的一篇论文声称,在 MD5 的 44 轮缩减版本上,原像的复杂度为 2^96。然而,这不是一个可能性的问题,而是一个人是否足够聪明,能够走到最后一步,并将真正交易的复杂性带入现实的边缘。
也就是说,由于碰撞攻击已经非常真实(典型笔记本电脑上的一分钟),并且原像攻击可能(或可能不会)指日可待,因此通常认为现在切换到更强大的攻击是谨慎的做法,以免为时已晚。
如果碰撞对您来说不是问题,您可能有时间等待NIST SHA-3 竞赛提出新的东西。但是,如果您有足够的处理能力和比特,使用 SHA-256 或类似的可能是一种谨慎的预防措施。
Cryptographically speaking MD5's pre-image resistance is already broken, see this paper from Eurocrypt 2009. In this formal context "broken" means faster than brute force attacks, i.e. attacks having a complexity of less than (2^128)/2 on average. Sasaki and Aoki presented an attack with a complexity of 2^123.4 which is by far only theoretical, but every practical attack is build on less potent theoretical attack, so even a theoretical break casts serious doubts on its medium-term security. What is also interesting is that they reuse a lot of research that has gone into collision attacks on MD5. That nicely illustrates Accipitridae's point that MD5's safety margin on pre-image resistance is gone with the collision attacks.
Another reason why the use of MD5 in 2009 has been and now the use of SHA1 is strongly discouraged for any application is that most people do not understand which exact property the security of their use case relies on. You unfortunately proved my point in your question stating that the 2008 CA attack did not rely on a failure of collision resistance, as caf has pointed out.
To elaborate a bit, every time a (trusted) CA signs a certificate it also signs possibly malicious data that is coming from a customer in form of a certificate signing request (CSR). Now in most cases all the data that is going to be signed can be pre-calculated out of the CSR and some external conditions. This has the fatal side effect that the state the hash function will be in, when it is going to hash the untrusted data coming out of the CSR is completely known to the attacker, which facilitates a collision attack. Thus an attacker can precompute a CSR that will force the CA to hash and sign data that has a collision with a shadow certificate only known to the attacker. The CA cannot check the preconditions of the shadow certificate that it would usually check before signing it (for example that the new certificate does not claim to be a root certificate), as it only has access to legitimate CSR the attackers provided. Generally speaking, once you have collision attacks and part of your data is controlled by an attacker then you no longer know what else you might be signing beside the data you see.