On Tue, Feb 17, 2004 at 08:46:33AM -0600, mw-list-spf-discuss(_at_)csi(_dot_)hu
wrote:
The probability of collision between two given hashes is 2^160.
I thought it is more like the sqrt of this---2^80.
But I do not understand this discussion at all: since a timestamp is
also part of the scheme, and assuming no bounce older than a month is
accepted, is not md5 more than sufficient (collision probability is
2^64)?
In any case you don't need or want to append the entire hash to the
checksum, as that would give an attacker a way to brute-force attack the
secret off-line.
Instead, you just attach a portion of the hash, say 24 bits. The attacker
only has a 1-in-16-million chance of guessing a valid hash for a particular
message. When given a message and its 24 bit hash, it's also difficult to
deduce the secret you are using, because many secret keys will give the same
24 bit answer; those answers will differ in the remaining 104 bits, in the
case of MD5.
The attacker may collect many different pairs of messages and hashes, so
it's still important to choose a properly random secret with sufficient
entropy (i.e. 128 bits of entropy if using MD5) to make brute-force
infeasible.
Brian.