Code for MD4/5 collisions released
Jan Lübbe — Wed, 2005-11-16 17:13
The code needed to create two bitstreams with the same hash is public. It takes about 45 minutes to find a MD5 collision. This does not allow to create a bitstream which maps to a given hash, so md5 is still safe for signing cleartext. However you can make two different documents in PostScript/PDF which have the same hash (more details). Use SHA-256 or SHA-512 (not SHA-1). MD5 collisions could also be used as "watermarks" for mp3 files (players skip invalid data) to track their distribution on p2p networks.