MD5 Broken

A recent article on Slashdot entitled “SHA-0 Broken, MD5 Rumored Broken” got my attention a couple days ago.

So what does it mean for a hash algorithm to be “broken”? Well, it means that two sets of different data can produce the same hash. This is called a “collision“. There is no way to stop collisions in hashes, no matter what algorithm you use — it’s just a matter of time until people find collisions. It’s simply the logic of math (don’t ask me to explain it, because I’ve haven’t a clue).

Recently after the article on Slashdot, there was a comment pointing to a whitepaper that proved that there were collisions found with MD5.

Now using MD5 to hasg passwords shouldn’t have any effect on things like web apps or *nix systems (after all, if you have the MD5 hash of a password, there are online cracking sites that’ll crack it in a matter of days). The problem comes with the file checksums. If an attacker can insert malicious code into a file and retain the same checksum, then we’ve got some trouble. And considering most routers use a MD5 digest to verify the integrity of files, it can be a big problem.

Though MD5 still isn’t “broken” (as you need an efficient way to find collisions to make use of them), you’ll still probably see SHA1 hashes more often.

That’s my understanding of things, but I’m lost when it comes to this cryptography stuff. So if you know your stuff, feel free to enlighten me.