I wonder if there is any practical attack on MD5(key || fixed-length-message).
Asked
Active
Viewed 79 times
4
-
2[Related question](https://crypto.stackexchange.com/q/35721/555). Brute forcing with GPUs, FPGAs, ASICs is perhaps the most practical we have, and with enough resources could be carried [above 88 bit of key](https://crypto.stackexchange.com/q/13299/555). – fgrieu Dec 21 '22 at 05:28
-
3I don't think we can easily attack that with current tech, but the MD5 algorithm is pretty weak - so we don't know if this will be secure towards the future. Saying that the message size is fixed is fine, but beware that you could create a length extension attack if you don't verify the size **before** you or directly after you verify the authentication tag that you generate. In general you would try and not operate on the message *before* verification, so beware of implementation issues. – Maarten Bodewes Dec 21 '22 at 21:26
-
@MaartenBodewes I will not use this cipher in my program, of course. I'm just wondering if it's been hacked already. – edo1 Dec 21 '22 at 21:52