Modi talked about the LinkedIn hack, where passwords were hashed using SHA1 (higher encryption than
md5), but were still cracked.
Because the math behind
MD5 hash codes and even for SHA-1 has been attacked by other mathematicians as being weak because they have theoretically demonstrated that they can produce collisions (i.e.
In an interview late Wednesday night, McGrew said Mandiant also described "families" of related malware used in the campaigns but did not link those to the
MD5 hashes.
Since MD4 [14] had been introduced in 1990, the MD-family hash functions such as
MD5 [15] and SHA-2 16], where the design rationale is based on that of MD4, have been proposed.
Until organisations find and replace all of the
MD5 certificates on their networks, which are virtual open doors, they are going to continue to be hit with this emerging type of certificate-based attack.
If you use
MD5 encryption for client authentication, make sure that the client hashes the password with
MD5 before sending the data on the network.
Because a collision means that the hash is not unique, hackers can forge certificates signed by
MD5. It is up to CAs to prevent these attacks by always using SHA-I rather than
MD5 to sign certificates--which most now do.
The
MD5 algorithm is so weak that no one should be using it as their only encryption method - a normal PC without the extra GPU fire power could even crack the
MD5 code."
Any iterative cryptographic hash function, such as
MD5 or SHA-1, may be used in the calculation of an HMAC (11).
Based on their observations, the researchers came to the conclusion that
MD5 could no longer be considered a secure cryptographic algorithm for use in digital signatures and certificates.
By taking advantage of known flaws in the
MD5 hashing algorithm used to create some of these certificates, the researchers were able to hack Verisign's RapidSSL.com certificate authority and create fake digital certificates for any Web site on the Internet.<p>Hashes are used to create a "fingerprint" for a document, a number that is supposed to uniquely identify a given document and is easily calculated to verify that the document has not been modified in transit.