I hate explaining this. I've had to do it so many times....
But anyway, MD5 and SHA1 both have weaknesses. However, that doesn't mean they're easy to bruteforce, it's still just as hard to bruteforce them.
Hashing is used for at least 2 things:
- Storing unrecoverable data (ie, passwords)
- Authenticating a document
The weakness is that a collision can be induced in the document storage. As an example, you might be able to have two programs, one malicious and one clean. You store the MD5 of the clean one to verify that the program you're running is safe. Then somebody sends you the malicoius one, you check the signature, decide that the program is clean, and run it.
Or, you send somebody a legal document, and ask them to encrypt the MD5 and send it back (basically like signing the document). However, you've secretly generated a second document that has the same MD5 hash, but says something different. You swap their signature on the different document, and it looks like they signed that.
You might be thinking, "Who cares?", and that's exactly right. For day-to-day use, like storing passwords, being able to induce collisions isn't a big deal. I mean, it might be possible to generate two different passwords for yourself that both generate the same hash. But why anybody would want to do that is beyond me.
If you feel like reading it, here is me explaining it another way:
Conversation with cowshjt at 2005-04-14 19:06:37 on iagox86 (aim)
(19:06:37) CoW Shjt: heh according to some of these reports
(19:06:45) CoW Shjt: sha-1 is in some trouble
(19:06:49) CoW Shjt: and md5 is next to dead
(19:07:07) iagox86: it depends what they're being used for
(19:07:30) CoW Shjt: well arent the concepts the same as far as file verification and password protection?
(19:07:54) CoW Shjt: collisions are bad for both usages
(19:09:28) iagox86: It's not the problem that collisions are common, the problem is that collisions can be induced
(19:09:53) CoW Shjt: people are finding values that would cause collisions?
(19:09:54) iagox86: Unless I understand the vulnerability incorrectly, you need to be able to control both strings to cause a collis
ion, but in password protection you only control one
(19:10:23) iagox86: yes, it's not impossible to pick 2 strings (by manipulating both of them in sneaky ways) that are the same MD5
(19:10:31) iagox86: to my knowledge, it's not a problem for passwords
(19:10:45) CoW Shjt: well for passwords, if you have a good amt of collisions
(19:10:55) CoW Shjt: the brute forcing would be reduced greatly
(19:11:53) iagox86: Only if you pre-generate all the keys and find the collisions for everything, but that would be computationally
infeasible
(19:12:31) CoW Shjt: well lets say you didnt want the password string
(19:12:38) CoW Shjt: just something that could generate the same hash
(19:12:58) iagox86: The likeliness of finding something that matches a single string is basically impossible
(19:13:07) iagox86: veryveryvery low (19:13:33) CoW Shjt: but how is finidng strings that gernerate the same hash hurting the protocols so much?
(19:13:39) CoW Shjt: why is it so serious? (19:13:58) iagox86: It makes it impossible to use md5 to verify that a document is real
(19:14:17) iagox86: Somebody can (without too much trouble, apparently) generate 2 different documents, sign it by taking the md5 of
it, and then switch them
(19:14:26) CoW Shjt: but isnt it very very very unlikely that that document would gerneate those specific strings?
(19:14:40) iagox86: If you can control both documents, that's when the collisions can be induced
(19:15:10) CoW Shjt: so the problem basically is, ppl have found a way to create the same hash as a string that is given to them?
(19:15:29) iagox86: No, the problem is that people can generate 2 different strings that have the same hash code
(19:15:41) iagox86: The same md5 hash, rather
(19:16:02) iagox86: It's difficult to take one and find a match, but if you are in control of both it's possible
(19:16:20) CoW Shjt: but the likelihood of having a document that would be the same as one of those strings that cause collisions be
rather low?
(19:17:04) iagox86: yes
(19:17:14) iagox86: That's my understanding, it is possible that I'm not correct
(19:17:47) CoW Shjt: wouldnt that be the same likelihood of having personA's password generate the same hash as personB?
(19:18:38) iagox86: No, because the collisions are caused by certain changes, I think
(19:20:44) CoW Shjt: but wouldnt collisions in the first place allow a brute forcer to reduce his number of attempts and never actua
lly need the original string?
(19:21:30) iagox86: I'm not qualified to answer that
(19:21:48) iagox86: But I suppose if somebody designed their original string in a special way that causes collisions, by luck..
(19:21:53) CoW Shjt: (20:21:18) iagox86: It's difficult to take one and find a match, but if you are in control of both it's possibl
e
if you controlled both strings, wouldn the work already be done?
(19:22:26) iagox86: If you're getting them to sign a md5 hash of a document, you can generate 2 with very small differences that end
up with the same hash
(19:22:46) iagox86: There's a good example of that on SecurityFocus.com, but I don't feel like finding it
(19:23:01) CoW Shjt: eh i wouldnt feel like reading it 
(19:23:07) iagox86: (14:50:07) iagox86: i saw one on a mailing list a loong time ago involving md5 and a pony
(14:50:11) iagox86: the md5 sum was the same
(14:50:41) iagox86: wow, first result on google:
(14:50:41) iagox86: http://www.securityfocus.com/archive/1/383709/2005-02-21/2005-02-27/0
(19:23:09) iagox86: it's very short
(19:23:12) iagox86: I sent that to you on March 10 
(19:23:25) iagox86: Have a look at the whole thread, it explains what I'm trying to
