Are MD5 and SHA-1 really «broken»?

«MD5 is broken, don't use it.» The line has been circulating for twenty years and, like every simplification, it is true enough to be dangerous. MD5 is broken with respect to one specific attack, and remains perfectly fit for another use — the very use digital forensics makes of it. The difference lies in two words almost nobody separates.

Collision and preimage are not the same thing

A collision attack asks: «find me two different files with the same digest». The attacker builds both. They are designed together, from scratch, with the padding regions needed to make the arithmetic work out.

A preimage attack asks for far more: «here is a digest; find me a file that produces it». Here the digest is given — it is the exhibit's — and the attacker has no freedom over it.

In the variant that matters to forensics — the second preimage — the question becomes: «here is this file; find me another, different one, with the same digest». That is the question asked by anyone who would like to swap an exhibit that has already been acquired and recorded.

COLLISION — achieved on MD5 and SHA-1 file A (crafted) file B (crafted) same digest the attacker controls both files SECOND PREIMAGE — never achieved existing exhibit digest is fixed the attacker controls nothing: he must chase Why the distinction decides everything Forging an already-acquired exhibit requires a second preimage, not a collision. On MD5 and SHA-1, nobody today knows how to produce one.
Breaking collision resistance does not imply the ability to break second-preimage resistance. They are distinct barriers.

What actually happened

MD5 (1992, 128-bit digest) fell in 2004: a Chinese research group led by Xiaoyun Wang showed how to build colliding message pairs in hours. Over the following years the cost dropped to seconds, and in 2008 a team forged a rogue SSL certificate by exploiting that weakness. In 2012 the Flame malware used an MD5 collision to get itself signed by Microsoft.

SHA-1 (1995, 160-bit digest) held out longer. Theoretical attacks arrived in 2005; the practical demonstration came in 2017, when Google and CWI Amsterdam published SHAttered: two different PDFs, visibly different, with the same SHA-1 digest. In 2020 the attack was extended to the «chosen-prefix» case, making it usable against PGP.

Note the constant: in every case the attacker crafted both documents. In thirty years of cryptanalysis, nobody has ever taken an existing file and manufactured a second one with the same MD5.

199219952004 20122017today MD5 practical collision (Wang) Flame signs a Microsoft driver SHA-1 SHAttered SHA-256 no known collision
The dashed lines mark the fall of collision resistance. The preimage resistance of MD5 and SHA-1 has never been broken.

Why Probatio still computes MD5 and SHA-1

Because they are needed, and needed in scenarios where they are not weak at all.

  • E01 forensic images store the acquisition hashes inside themselves, in MD5 and SHA-1. Probatio recomputes the logical stream and compares against them: without MD5 you could not verify an image acquired in 2011.
  • Hash sets and catalogues — lists of known-file hashes — are largely historical, and their key is often MD5. Refusing to compute it means being unable to query them.
  • Prior records: an exhibit seized ten years ago has an MD5 in its report. Confirming it today is a legitimate and informative operation.

In all three cases the question is: is this file still what it was? Answering it requires second-preimage resistance — which MD5, as far as anyone knows, still has. It does not require collision resistance, which MD5 has lost.

When MD5 really is dangerous

There is one case where the weakness bites, and it must be stated plainly: when the adversary got to choose the file.

If someone hands you a document of their own accord and you record its MD5, that someone may have prepared a colliding pair: the harmless document they show you, and the incriminating one to produce later, with the same MD5. They have broken nothing about your work — they simply crafted both files before you ever saw them.

Working rule: if the file comes from a source with an interest in the outcome, and that source could have manufactured it, MD5 and SHA-1 alone are not enough. If you acquired the file yourself, or it comes from a seized device, collision risk is irrelevant.

The defence is not choosing — it is adding

Nobody knows how to build a pair of files that collide simultaneously under MD5 and under SHA-256. The two functions have different internal structures, and the differential collision techniques that felled MD5 do not carry over.

That is why Probatio computes several digests in a single read of the file, and why the right term is battery of hashes: not one well-chosen algorithm, but several independent ones that must all fall together for the evidence to fall.

Working rules

  1. SHA-256 is the bare minimum for any new acquisition. It is the de facto standard and remains intact.
  2. Add MD5 or SHA-1 for compatibility, not as the primary guarantee. They exist to talk to the past.
  3. Never use MD5 alone on a file supplied by the opposing party.
  4. Never write «MD5 is insecure» in a report without saying with respect to what. A prepared expert dismantles that sentence in thirty seconds, and your credibility with it.
  5. CRC32 and XXH3 are a different matter entirely: they are not cryptographic hashes and resist no adversary. They catch transmission errors.

The point is not which algorithm is fashionable. It is knowing which barrier you are asking mathematics to hold, and checking that the barrier is still standing.