Q
Manage Learn to apply best practices and optimize your operations.

# What is an encryption collision?

## Michael Cobb reviews how encryption collision attacks on cryptographic hash functions could compromise the security of all kinds of digital systems.

What are "collisions" of encryption algorithms? Can attacks create an encryption collision?
To answer your question, I need to step through various aspects of cryptography.

One type of cryptographic algorithm is called a hash function. Hash functions take a message of any length as input...

and then output a short, fixed-length value called a hash, digest or checksum. Hash functions have many uses in cryptography because any change to the original input, accidental or otherwise, will change the resulting hash value. This means hashes can be used in many forms of authentication, such as digital signatures and message authentication codes. They can also verify file integrity because even the slightest change to a document, message, or any type of data will change the hash value.

A hash function is not the same as an encryption function. Encryption is a two-way operation, transforming data from a cleartext to ciphertext and back, whereas hashes compile a stream of data into a small digest, a summarized form if you will, and it's strictly a one-way operation. Because of the one-way nature of hash functions, the hash values of passwords are often stored instead of the passwords themselves. As there's no way to find out for sure which password produced a particular hash, they are not useful to an attacker.

But there's an inescapable problem here. If we are creating a small fixed, length-hash value, say 128 bits, to represent any piece of data, large or small, it means that there are far more possible input values than there are unique hash values. Therefore more than one input stream can produce the same hash value. When this occurs, it is known as a collision. A hash function is deemed collision-resistant if it is hard to find two inputs that hash to the same output. Collision-resistant doesn't mean that no collisions exist; simply that they are difficult to find.

A successful encryption collision attack on a cryptographic hash function could compromise the security of all kinds of digital systems. For example, many software publishers provide the MD5 (Message-Digest algorithm 5) hash value of their downloadable software. This enables users to verify that the file is authentic and has not been tampered with. However, if an attacker could maliciously modify the source code, but manage to keep the same hash value, anyone downloading the doctored version wouldn't know that it wasn't the genuine software.

So to answer your second question, attacks do try to find encryption collisions. In March 2005, two researchers created two X.509 digital certificates with different public keys but with the same MD5 hash. Since then, an algorithm has been published that can find an MD5 collision in under a minute.

Fortunately, as MD5 has been shown to be non-collision resistant, it's being replaced by the SHA-2 family of hash functions in most applications.

This was last published in October 2009

## Content

Find more PRO+ content and other member only offers, here.

#### Have a question for an expert?

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

#### Start the conversation

Send me notifications when other members comment.

## SearchCloudSecurity

• ### How cloud access security brokers have evolved

Cloud access security brokers keep being acquired by bigger security companies. Expert Rob Shapland looks at how these ...

• ### SQL injection attacks: How to defend your enterprise

SQL injection attacks threaten enterprise database security, but the use of cloud services can reduce the risk. Here's a look at ...

• ### Cloud security lessons to learn from the Uber data breach

Any organization that uses cloud services can learn something from the 2016 Uber data breach. Expert Ed Moyle explains the main ...

## SearchNetworking

• ### Ruckus SmartZone to get IoT module

Ruckus plans to release a suite of technology for companies that want to support IoT devices on the WLAN. The suite includes an ...

• ### What are the top information security objectives for CISOs?

Bloggers delve into CISO information security objectives, Juniper's new product release and how self-sufficient networking teams ...

• ### Considerations for buying an application delivery controller

Before you buy an ADC device, learn which features you should look for and what questions you should ask prospective application ...

## SearchCIO

• ### Cybersecurity's shortage of skills leaves IT projects vulnerable

A recent study found that as IT projects proliferate, cybersecurity's shortage of skills is leaving tech vulnerable. Analyst and ...

• ### Relentless AI cyberattacks will require new protective measures

AI cyberattacks won't be particularly clever; instead, they'll be fast and fierce. Carnegie Mellon University's Jason Hong ...

• ### Deep learning algorithms power startup's beauty database

Deep learning algorithms are changing how we drive cars and navigate outer space. What about saving our skin? Silicon Valley ...

## SearchEnterpriseDesktop

• ### How to establish Windows 10 security baselines

IT should consider following Microsoft's Windows 10 security recommendations in the Security Compliance Toolkit to better protect...

• ### VMware Workspace One helps Western Digital organize 3,000 apps

The application portal in VMware Workspace One allowed IT to streamline app delivery, and the product's cloud-based model proved ...

• ### Three PC lifecycle management options IT should consider

IT pros can use PCs and laptops until they stop working, or they can set up a lifecycle management plan that retires them after a...

## SearchCloudComputing

• ### Prepare and manage enterprise apps for an IaaS model

A growing number of businesses see the value in infrastructure as a service. But without careful app migration and management ...

• ### Multi-cloud management still a work in progress for IT teams

Multi-cloud deployments are a mixed bag, providing both business value and complex management challenges. Fortunately, a number ...

• ### Bare-metal cloud services lure legacy workloads off premises

For some enterprises, bare-metal services in the cloud act as a crucial steppingstone to an IaaS deployment, and providers, ...

## ComputerWeekly.com

• ### GDPR is having positive impact on privacy profession, says IAPP

The EU’s new data protection rules are driving greater interest in the privacy profession, and provide an opportunity to develop ...

• ### More than a quarter of UK shoppers prepared for wearable contactless payments

Mastercard research shows a growing number of shoppers are prepared to make purchases with smartwatches, rings and bracelets

• ### Cloud DR: Key choices in cloud disaster recovery

Flexibility and low cost make the cloud well-suited to disaster recovery, but there is no one-size-fits-all route to cloud ...

Close