[LINK] MD5 cracking

Rick Welykochy rick at praxis.com.au
Sun Jan 28 10:01:16 AEDT 2007

The MD5 sum is a digest of a chunk of digital data, such as a file, that
supposedly uniquely indentifies the file, i.e. like a checksum. If you
receive a copy of a file and its calculated MD5 does not match the 
published MD5, you can be sure the file has been tampered with.

We have know for a while now that the MD5 digest is insecure, i.e. it
is now possible to make changes to a file such that its MD5 matches
a desired (bogus) MD5.

I ran across this site today:


As they say, it's "in the wild". The web page provides a service to
crack MD5 digests. Sigh.

I mention this because practically all software we download is 
cross-checked and vetted against its MD5 digest, and nothing more
secure. This implies that updates from Winders, downloads of
FOSS etc.etc. could easily be compromised if the desire to do so
is there. And it is probably only a matter of time before a
jacked/hacked but secure-looking version of software product XYZ is
released on the 'Net.

The suggested replacement digest is SHA-1, but there are worries that
it too is insecure and will be cracked soon. SHA-256 and -512 look like
the way to go in the future.


Rick Welykochy || Praxis Services

It's always the enemies of freedom who find themselves, at one moment
or another, most in need of it.
      -- Michel Houellebecq

More information about the Link mailing list