Join Log in
Score:2
Begoña Garcia avatar Crypto

Is it safe to initialize a random number generator with MD5?

td flag
Begoña Garcia

The MD5 algorithm is no longer considered secure for most applications of a hash algorithm. However, is it safe to initialize a PRNG via a password?

If it is not, how could it be exploited?

239
1 + 3
kelalaka avatar
in flag
kelalaka
Could you define how do you use MD5 for each instantiation of the RNG
0
Reply
Begoña Garcia avatar
td flag
Begoña Garcia
I'm studying a steganography application where MD5(password) is used to initialize a PRNG that selects the pixels of an image to hide information on. The accepted answer does not apply to my case, but it is correct considering that my question is not complete. I will open another question for this.
0
Reply
kelalaka avatar
in flag
kelalaka
This is why you should mention all details to that you took the time of other more carefully. People, here, want to help, however, their time is valuable.
0
Reply
Score:4
fgrieu avatar Crypto
ng flag
fgrieu

No, it is not safe to initialize a (CS)PRNG with the MD5 hash of a password.

That's not so much an issue with MD5 as it is an issue with initializing a PRNG with a function of a password that can be computed fast. SHA-256 would be nearly as bad. When turning a password into a key/seed, we need to use key/entropy stretching, and towards this use a memory-hard function such as Argon2, with reasonable parameters. Otherwise, we risk being very vulnerable to password cracking.

Also, inasmuch as possible, an input of the function should include salt (such as a username, email, filename).

how could it be exploited?

The attacker would hash a dictionary of common passwords, and for each initialize the PRNG with the result, produce some PRNG output, and test if that output is correct. That test depends on the usage of the PRNG. For example, if the PRNG is used as a stream generator for a stream cipher, and a known plaintext/ciphertext pair is available, the test boils down to comparing the PRNG output to the XOR of plaintext and ciphertext over an appropriate length. If only ciphertext is available, but correct plaintext is recognizable (e.g is highly redundant), an attack is still possible.

+ 1
kelalaka avatar
in flag
kelalaka
That is really depend on the strength of the password. One can use password with strength 256-bit to be on the safe side regardless of the password hashing algorithm and their parameters.
2
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.