How secure is using MD5 for signature

Question

Generally speaking, MD5 is considered as broken for secure usage these days, but I came across a signature design using MD5 many times recently in my company. The detail shows as following:

T = text, which is directly viewable as plain text in a HTTP header.

AppId, AccessKey = ID and Key pairs authorized from server. The ID is also appended as plain text in HTTP header.

signature = MD5(T || timestamp || AppId || AccessKey)

My question is how secure is this signature design? I've searched for many sorts of collision attacks, and the closest one to this condition is the chosen prefix attack, which seems still hard to effectively exploit this signature.

Any idea would be greatly appreciated.

Answer 1

MD5 is broken in the sense that it is possible to create two pieces of data with the same hash. However, you need to be able to modify both pieces of data.

For example, you can create two images with the same MD5, by manipulating both images. Then if a user or system checks only the MD5 of the file, you can swap the images and the MD5 remains the same.

In your example, it would be possible to create two texts that have the same signature, for an attacker that has a AppId and AccessKey. I don't think that breaks the security of the system, but that depends on how the signature is used.

It is not possible to create a file with an arbitrary MD5, or to find the original data from an MD5 hash by a method other than brute force. So if they keys used in your example are long enough, it is secure against an attacker that does not have an AppId or AccessKey.

However, because MD5 turned out not to be collision resistant it is no longer trusted by many people to be a good hash function. It has a bad reputation and isn't considered suitable for any use. So if you develop a new system, don't use MD5 (or SHA1).

Answer 2

I'm a bit surprised no one has mentioned length extension attacks yet. This doesn't seem to be vulnerable, but it also seems like it may have avoided being vulnerable purely by chance.

While it doesn't immediately appear vulnerable to any attacks, it's also non-standard. If you want a "signature" (what you want is actually called a MAC), you should use an algorithm designed for that, such as HMAC.

HMAC-MD5 is actually still considered secure, but really if it's decided that it's worth rewriting you might as well use HMAC-SHA256. If improved attacks are eventually discovered that affect HMAC, it's a good bet that MD5 will be worse off than SHA-256.

Answer 3

In my opinion, it is not useful being able to edit T just for getting a match of signature. The dream scenario is be able to edit T to the adversary's advantage and still get a signature match - which should not be that straightforward or easy to achieve.

So in this case, this is a good enough application for MD5 - nothing too complex.

As a contrast to understanding this, if you were to use this as a login mechanism then it would not be as secure.