Can you simplify what a hash collision attack is?

642    Asked by AnnaBall in SQL Server , Asked on Dec 17, 2021

What is a collision attack? How can it affect me? 

I tried researching about this topic and found out that in cryptography, a collision attack on a cryptographic hash tries to find two inputs producing the same hash value, i.e. a hash collision. This is in contrast to a preimage attack where a specific target hash value is specified.


Answered by Ankur vaish

Hash collision attacks aren't an issue when dealing with password hashes. The issue with both SHA256 and MD5, from a password hashing perspective is that they're both much too fast. MD5 is quite a bit faster than SHA256, in fact.


To clarify what a collision attack is, and why it doesn't matter when dealing with password hashes, it is when a hash function allows an attacker to find two inputs that result in the same hash value. The fact that the attacker can control and manipulate both inputs in order to find a colliding value is critical. When you have a password hashing system, however, the attacker does not have to ability to control the first input. The password creator controls the first input. The attacker only has the resulting hash value from the first input, and the ability to attempt to create a matching hash from a second input which they do control. If they can find a second input that creates an identical hash, this is not a collision attack, but a 2nd pre-image attack, and not even MD5 is susceptible to these. So, ultimately, the speed is the only issue, in that people choose passwords poorly, and the speed with with an MD5 hash can be computed is rapid enough for an attacker to attempt many, many potential input candidates in order to find the one the results in the password hash.



Your Answer

Interviews

Parent Categories