6

If I know

H = md5( SECRET_KEY | DATA )

then I can calculate

H' = md5( SECRET_KEY | DATA | DATA' )

That's length-extension attack. But is the opposite possible? E.g. if I know

H = md5( SECRET_KEY | DATA )

can I find

H'' = md5( SECRET_KEY )

where DATA is known and lenght of DATA is known too???

Basically, can I find md5 of the KEY without DATA (once again, DATA is known, H is known, but SECRET_KEY is unknown)?

CodesInChaos
  • 24,583
  • 2
  • 87
  • 127
Max Selivanov
  • 61
  • 2
  • A note: the description of the length-extension attacks omits restrictions on how `DATA'` must start. – fgrieu Sep 19 '12 at 09:39
  • Perhaps one might call such an attack a "length-contraction attack"? $\:$ –  Sep 19 '12 at 11:47

1 Answers1

3

The short answer is: No, there is no known practical attack in the setup given.

But we do not have an argument/proof that there is not one, and we should be less confident in that than we are in HMAC-MD5, for which we have such an argument.

fgrieu
  • 131,696
  • 12
  • 284
  • 553
  • 3
    It is important to understand that Merkle–Damgård hashes were never designed to resist attacks of this type. Any properties like this that they have are just the result of pure luck. – David Schwartz Feb 13 '13 at 12:52
  • 1
    It would mean we can invert $h \mapsto E_m(h) + h$ where $E$ is the block cipher out of which MD5's compression function is built. This seems unlikely without serious cryptanalytic damage to $E$ (and it would presumably not have a unique answer most of the time). – Squeamish Ossifrage Mar 10 '19 at 21:51