-4

Without brute forcing, is possible to induce to a result on md5sum of a file, for example a file text? is mathematically "makeable"? The only way is using brute-forcing techniques? In other words it can be asked : Is it possible to create a file which has the same checksums (md5sum) "forging file"?

André Vinícius
  • 103
  • 1
  • 4
  • @FynnMazurkiewicz Wait, what? It's fairly straightforward to produce MD5 collisions. – Arminius Jul 25 '17 at 21:19
  • 1
    In my answer below I assume that by "fake a md5sum" you mean "manipulate the file so that it has a specific md5sum". If you can be more specific about what you mean by "fake a md5sum", then I can edit my answer to match. – Mike Ounsworth Jul 25 '17 at 21:25
  • 1
    Can OP clarify what they mean, specifically, by a "fake md5sum" ? Do you want a collision (some other document which matches a given md5 hash) or do you want some given document to have a different md5sum than it actually has, somehow? – JesseM Jul 25 '17 at 21:52
  • 1
    Possible duplicate of [Is MD5 considered insecure?](https://security.stackexchange.com/questions/19906/is-md5-considered-insecure) – WhiteWinterWolf Jul 25 '17 at 23:19

2 Answers2

5

MD5 is known to be broken for collision attacks. It is possible to generate a pair of documents m1 and m2, such that MD5(m1) = MD5(m2). This makes MD5 problematic for use as a hash in certificates, where you can pre-generate a pair of CSRs m1 and m2 with an identical hash and then when a certificate authority signs m1 (for a domain you control), you can append the valid signature from m1 onto m2 to create a valid certificate.

While MD5 has known weaknesses it is currently not susceptible to any computationally practical pre-image attacks. That is if I give you a valid MD5 hash h = ee83225a0d03ad3fb5273d17cdff9927 that I generated by hashing some message m that I keep secret, there is no computationally feasible way to find a valid m such that MD5(m) = h.

I'll add that naively collision attacks on a 128-bit hash should take O(264) work due to the birthday problem. (That is if you generate around 2^64 hashes and compare each of the hashes against the 2^64 - 1 other hashes, it is becomes probable that there will be one pair of matching hashes.) However, due to various problems due to the specifics of MD5, collisions can be generated in much less work O(224.1).

For pre-image resistance, a 128-bit hash should take O(2128) work to find a message that matches the hash. There are published pre-image attacks against MD5, but these attacks only speed it up by a factor of ~25, and still require O(2123.4) work (which is well outside the realm of practical attacks; where the edge is typically thought to be somewhere between 2^80 and 2^100).

PS: If you find a string that matches the hash above within a year of this post, I'll gladly donate $1000 to a charity of your choice.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
0

Is fake a md5sum of a file possible?

Yes. Very yes. MD5 is completely broken and no longer suitable for security use. See wikipedia for a description of ways you can abuse MD5.

Without brute forcing?

I guess it depends on your definition of "brute-forcing". From wikipedia:

The security of the MD5 hash function is severely compromised. A collision attack exists that can find collisions within seconds on a computer with a 2.6 GHz Pentium 4 processor (complexity of 224.1).

This is a brute-force attack since it requires 224.1 guesses, but it's a very small brute-force.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207