Modi talked about the LinkedIn hack, where passwords were hashed using SHA1 (higher encryption than md5
), but were still cracked.
authentication scheme  is not enough for this attack.
Because the math behind MD5
hash codes and even for SHA-1 has been attacked by other mathematicians as being weak because they have theoretically demonstrated that they can produce collisions (i.e.
In an interview late Wednesday night, McGrew said Mandiant also described "families" of related malware used in the campaigns but did not link those to the MD5
Since MD4  had been introduced in 1990, the MD-family hash functions such as MD5
 and SHA-2 16], where the design rationale is based on that of MD4, have been proposed.
Until organisations find and replace all of the MD5
certificates on their networks, which are virtual open doors, they are going to continue to be hit with this emerging type of certificate-based attack.
If you use MD5
encryption for client authentication, make sure that the client hashes the password with MD5
before sending the data on the network.
Because a collision means that the hash is not unique, hackers can forge certificates signed by MD5
. It is up to CAs to prevent these attacks by always using SHA-I rather than MD5
to sign certificates--which most now do.
algorithm is so weak that no one should be using it as their only encryption method - a normal PC without the extra GPU fire power could even crack the MD5
Any iterative cryptographic hash function, such as MD5
or SHA-1, may be used in the calculation of an HMAC (11).
Based on their observations, the researchers came to the conclusion that MD5
could no longer be considered a secure cryptographic algorithm for use in digital signatures and certificates.
By taking advantage of known flaws in the MD5
hashing algorithm used to create some of these certificates, the researchers were able to hack Verisign's RapidSSL.com certificate authority and create fake digital certificates for any Web site on the Internet.<p>Hashes are used to create a "fingerprint" for a document, a number that is supposed to uniquely identify a given document and is easily calculated to verify that the document has not been modified in transit.