md5: is reverse length-extension attack possible?

Question

If I know

H = md5( SECRET_KEY | DATA )

then I can calculate

H' = md5( SECRET_KEY | DATA | DATA' )

That's length-extension attack. But is the opposite possible? E.g. if I know

H = md5( SECRET_KEY | DATA )

can I find

H'' = md5( SECRET_KEY )

where DATA is known and lenght of DATA is known too???

Basically, can I find md5 of the KEY without DATA (once again, DATA is known, H is known, but SECRET_KEY is unknown)?

score 3 · Answer 1 · answered Sep 19 '12 at 09:48

3

The short answer is: No, there is no known practical attack in the setup given.

But we do not have an argument/proof that there is not one, and we should be less confident in that than we are in HMAC-MD5, for which we have such an argument.

answered Sep 19 '12 at 09:48

fgrieu

149,326
13
324
622

md5: is reverse length-extension attack possible?

1 Answers1

Linked