The MD4 hash function is insecure. Collision attacks
are known for many years now, and and a recent paper by
Wang et al  shows a several second preimage attacks,
as follows. First, there's an algorithm which, given a
random message and its MD4 hash, finds another message
having the same hash with probability 2^-56. Second, if
the attacker can also alter the original message (and
thus its hash) slightly, he can find a second message
having the same hash with just 2^27 MD4 invocations.
Doubtless, even stronger attacks will soon be found.
MD4 (with known seed) is thus completely broken, making
rsync batch mode and librsync unsafe to use in
malicious environments. Please do consider phasing out MD4.
The fastest hash function with no interesting known
attacks is SHA-256, which is still somewhat expensive
(though this can be partially addressed by the
meta-hash idea -- see the librsync list, July 2005,
"Re: more info on 25gig files". SHA-1 may also be OK
for a while despite the known collision attacks, and
has acceptable speed.
Log in to post a comment.