Encryption and security software frequently makes use of hash functions. A hash or digest is a relatively small value which can be calculated from an arbitrary sized piece of data. If two documents have the same hash value there's a strong likelihood that the contents are the same. The trick is to choose an algorithm that makes it unlikely for two different documents to have the same hash, which is known as a collision. If an attacker can generate hash values that duplicate those used by a genuine piece of data then they have the ability to compromise security. e.g. it's quite common to store the hashed values of passwords etc. Obtaining a hashed password is normally of no use to a hacker, but if the hashing algorithm generates a significant number of collisions then a brute force attack is possible.
Potentials Weakness of the MD5 Algorithm
One of the standard hashing algorithms is MD5 (Message Digest 5), but since the mid 1990s the general advice has been to avoid it due to the risk of collisions. These risks are currently theoretical, as MD5 collision has yet to be found. Or rather no one has announced such a discovery; the distinction can be important when we're discussing encryption. But the risks have increased with the development of MD5CRK. This is a Java applet which calculates MD5 collision values. The trick is that it can use idle time on any computer used for web browsing. By placing a so-called MagicButton on their web page a web master tells any browser visiting that page to participate in the MD5CRK project.
From the MD5CRK FAQ: "The aim of MD5CRK is to raise awareness in the IT industry that MD5 is not secure for many applications. We aim to disprove one of the fundamental requirements of a secure message digest: No two inputs can be found which produce the same digest - this is also known as a collision."
MD5CRK is basically a data gathering exercise. So what's the point of this? Again from their FAQ: "With the hundreds of gigabytes of data we will have gathered, new attacks on MD5 can be performed leveraging the work we have already done."
A number of alternatives to MD5 are available, one of the most common being SHA1, which is used by high grade encryption software such as PGP and GPG.
