133

Is there an example of two known strings which have the same MD5 hash value (representing a so-called "MD5 collision")?

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240

7 Answers7

93

Yes you can, see at the MD5 Collision Demo, the two blocks:

d131dd02c5e6eec4693d9a0698aff95c 2fcab58712467eab4004583eb8fb7f89 
55ad340609f4b30283e488832571415a 085125e8f7cdc99fd91dbdf280373c5b 
d8823e3156348f5bae6dacd436c919c6 dd53e2b487da03fd02396306d248cda0 
e99f33420f577ee8ce54b67080a80d1e c69821bcb6a8839396f9652b6ff72a70

and

d131dd02c5e6eec4693d9a0698aff95c 2fcab50712467eab4004583eb8fb7f89 
55ad340609f4b30283e4888325f1415a 085125e8f7cdc99fd91dbd7280373c5b 
d8823e3156348f5bae6dacd436c919c6 dd53e23487da03fd02396306d248cda0 
e99f33420f577ee8ce54b67080280d1e c69821bcb6a8839396f965ab6ff72a70

produce an MD5 collision.

Each of these blocks has MD5 hash 79054025255fb1a26e4bc422aef54eb4.

Community
  • 1
75

Just to show you how easy it is today to create collisions on MD5:

One could create collisions using Marc Steven's HashClash on AWS and estimated the the cost of around $0.65 per collision.

These 2 images have the same md5 hash: 253dd04e87492e4fc3471de5e776bc3d

Ship image

Plane image

If you want to test it yourself and the images below do not give you the MD5 hash displayed above then you may need to take images from the original link below:

Reference: http://natmchugh.blogspot.com/2015/02/create-your-own-md5-collisions.html

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Silverfox
  • 921
  • 6
  • 11
40

A new result shows how to generate single block MD5 collisions, including an example collision:

Message 1

Message 2

> md5sum message1.bin message2.bin
> 008ee33a9d58b51cfeb425b0959121c9 message1.bin
> 008ee33a9d58b51cfeb425b0959121c9 message2.bin

There is an earlier example of a single block collision, but the technique for generating it was not published.

Sumit
  • 53
  • 4
PulpSpy
  • 8,767
  • 2
  • 31
  • 46
38

MD5 was intended to be a cryptographic hash function, and one of the useful properties for such a function is its collision-resistance. Ideally, it should take work comparable to around $2^{64}$ tries (as the output size is $128$ bits, i.e. there are $2^{128}$ different possible values) to find a collision (two different inputs hashing to the same output). (Actually, brute-forcing this is today almost in the range of possible, so this alone would be a reason not to use any small-output hash function like MD5.)

It showed that MD5 is not that resistant as intended, and nowadays it is relatively easy to produce more collisions, even with an arbitrary common prefix and suffix.

There was a spectacular example, when someone used an MD5 collision to get a fake SSL certificate from a certification agency. The agency signed a certificate for a domain which belonged to the attacker, and the attacker produced a different certificate (for another domain) with the same hash, i.e. for which the same signature was valid.

Don't use MD5 for any application which relies on collision-resistance (like signatures) ... or for any new application at all. Use SHA-2 (or SHA-3) now.

Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
24

1. Two different strings in hex format:

4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2
4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2

both have MD5 hash:

008ee33a9d58b51cfeb425b0959121c9

Example:

> md5sum message1.bin message2.bin
008ee33a9d58b51cfeb425b0959121c9 message1.bin
008ee33a9d58b51cfeb425b0959121c9 message2.bin
> sha1sum message1.bin message2.bin
c6b384c4968b28812b676b49d40c09f8af4ed4cc message1.bin
c728d8d93091e9c7b87b43d9e33829379231d7ca message2.bin

2. Another example (in hex):

0e306561559aa787d00bc6f70bbdfe3404cf03659e704f8534c00ffb659c4c8740cc942feb2da115a3f4155cbb8607497386656d7d1f34a42059d78f5a8dd1ef
0e306561559aa787d00bc6f70bbdfe3404cf03659e744f8534c00ffb659c4c8740cc942feb2da115a3f415dcbb8607497386656d7d1f34a42059d78f5a8dd1ef

both have MD5 hash:

cee9a457e790cf20d4bdaa6d69f01e41

Example 1. is straight from Marc Stevens: Single-block collision for MD5, 2012; he explains his method, with source code (alternate link to the paper).

Example 2. is adapted from Tao Xie and Dengguo Feng: Construct MD5 Collisions Using Just A Single Block Of Message, 2010.

Please note that above examples are hexadecimal representation of the strings. So to test it, you've to write these hex values into the binary files and then compare them as shown above.

To make simple test in shell, please check the commands provided in: Can two different strings generate the same MD5 hash code?

See also: What is the MD5 collision with the smallest input values?

Mikael Dúi Bolinder
  • 105
  • 4
kenorb
  • 697
  • 1
  • 9
  • 19
19

Here are some other interesting examples. One of them is, two downloadable executables that have the same MD5 hash, but are actually different, and produce different (safe) results when run!

So much for using MD5 hashes to ensure download file integrity :-(

http://www.mscs.dal.ca/~selinger/md5collision/

T_C
  • 486
  • 2
  • 5
6

From "Schneier on Security", March 10, 2005…

More Hash Function Attacks

Here's(1) a pair of valid X.509 certificates that have identical signatures. The hash function used is MD5.

And here's a paper(2) demonstrating a technique for finding MD5 collisions quickly: eight hours on 1.6 GHz computer.

Links:

  1. http://www.win.tue.nl/~bdeweger/CollidingCertificates/
  2. http://cryptography.hyperlink.cz/md5/MD5_collisions.pdf
Community
  • 1
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240